Update default backend to add TLS >=1.2 support #9166
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
needs-triage
|
Welcome @JJotah! |
|
Hi @JJotah. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
k8s-ci-robot
added
size/M
|
@JJotah
|
Hi @bmv126 2.- The issue is when you have a certificate in your load balancer (example AWS) and automatically defaultBackend enables de tls with the policy default created 3.- We can use custom error pages dockerfile for the moment in the values |
|
@JJotah, does this mean that this change is only relevant for TLS
Termination in LB instead of TLS termination in controller ?
…On Thu, Oct 20, 2022 at 10:03 PM Juan José Ruiz Romero < ***@***.***> wrote:
@JJotah <https://github.com/JJotah> I have few queries on the package:
1. Why /healthz path is being removed ? Will it not cause breaking change ?
https://kubernetes.github.io/ingress-nginx/user-guide/default-backend/
2. Also I do not see ssl being set in listen directive in the default.conf. How it will resolve the tls 1.2 >= issue ?
https://github.com/kubernetes/ingress-nginx/pull/9166/files#diff-86820e49f1b0e9f1c20d6f68cef87b3692f7957e44874b5fc064c5a9c8683762R5
3. What about custom-error via default backend ? Is it still supported ?
https://github.com/kubernetes/ingress-nginx/tree/main/images/custom-error-pages
Hi @bmv126 <https://github.com/bmv126>
1.- we don't need to pass healthz because the healtz is on the 80 port
2.- The issue is when you have a certificate in your load balancer
(example AWS) and automatically defaultBackend enables de tls with the
policy default created
3.- We can use custom error pages dockerfile for the moment in the values
—
Reply to this email directly, view it on GitHub
<#9166 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGZVWXC2IOPZURBHZ637HDWEFX6TANCNFSM6AAAAAARF4CUXY>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
; Long Wu Yuan
|
Hi @longwuyuan Second sure, to create new ingress controller and you didn't specify de policy in lb automatically in 443 create de default one (I only tested in AWS) and use tls 1.0 tls 1.1 that is a security issue |
| | defaultBackend.image.runAsNonRoot | bool | `true` | | | ||
| | defaultBackend.image.runAsUser | int | `65534` | | | ||
| | defaultBackend.image.tag | string | `"1.5"` | | | ||
| | defaultBackend.image.tag | string | `"1.19.10-alpine"` | | |
There was a problem hiding this comment.
can we use the last nginx version?
| registry: registry.k8s.io | ||
| image: defaultbackend-amd64 | ||
| repository: nginx | ||
| tag: 1.19.10-alpine |
There was a problem hiding this comment.
same here, let's use latest nginx version (not :latest, but v1.22 etc)
There was a problem hiding this comment.
Lets go ahead and use
cgr.dev/chainguard/nginx:1.23.1@sha256:310f9a01fc3e7a9410ae7ea1d9cac5add66d3f95d081efa6693a829e1b6aaa70
|
@strongjz what if we use https://github.com/chainguard-images/nginx ? I would love to use distroless here instead of some alpine image :) |
|
/kind feature |
k8s-ci-robot
added
kind/feature
Ok agree let me work on it |
|
@JJotah let me know on this :) |
|
@JJotah: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-rebase
|
Please rebase and fix the merge conflicts. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: JJotah The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
We can make the default backend image safe by default. I would not implement the whole TLS stuff in the chart. This is not useful and a lot of this stuff like the default 404 response belongs into the image IMHO. |
|
ok. So are you going to use the $ROOT/images/custom-error-pages itself as the default-backend or are you going to create a new image ? |
|
Actually I wasn't even aware the default backend is using TLS. I mean, it only serves a 404 and plain text. No user data should be transferred to it - so why should it serve TLS after all? |
|
I am confused on that as well. Need to think through the workflow to answer your question. But one factor to note here is that this user is talking about a response from enabling default-backend, when the termination of TLS on a NLB |
What this PR does / why we need it:
Security issue with TLS < 1.2 https://github.com//issues/9155Types of changes
Which issue/s this PR fixes
#9155
How Has This Been Tested?
Checklist:
Does my pull request need a release note?
Any user-visible or operator-visible change qualifies for a release note. This could be a:
No release notes are required for changes to the following:
For more tips on writing good release notes, check out the Release Notes Handbook