Ingress annotations are inherently specific to the ingress controller software in use (and we're planning to migrate controllers in the near term), and at least with ingress-nginx have a history of enabling various security issues. For those reasons I'd like to make ingress-admission block ingress annotations by default and allowlist specific useful annotations if those are requested.
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T392356 Replace ingress-nginx before upstream EOL date | |||
| Resolved | taavi | T415192 Move ingress annotations to an allowlist model | |||
| Open | None | T414674 Remove remaining uses of ingress-nginx specific annotations | |||
| In Progress | Feature | bd808 | T414836 Create a reusable container to replace nginx ingress anonymizing reverse proxy setups |
Event Timeline
Comment Actions
taavi opened https://gitlab.wikimedia.org/repos/cloud/toolforge/ingress-admission/-/merge_requests/35
server: Allowlist permitted annotations
Comment Actions
taavi merged https://gitlab.wikimedia.org/repos/cloud/toolforge/ingress-admission/-/merge_requests/35
server: Allowlist permitted annotations
Comment Actions
group_203_bot_f4d95069bb2675e4ce1fff090c1c1620 opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/1117
ingress-admission: bump to 0.0.77-20260128152724-d2dfd2a6
Comment Actions
taavi merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/1117
ingress-admission: bump to 0.0.77-20260128152724-d2dfd2a6