From e7c70d6169ca04e7a3f08cc2d5b21ea571019b68 Mon Sep 17 00:00:00 2001 From: Farshad Asadpour Date: Tue, 25 Mar 2025 19:40:38 +0330 Subject: [PATCH] fix(ingress-nginx): Upgrade ingress-nginx to v1.12.1 and webhook certgen image to v1.5.2 (#12075) This commit upgrades ingress-nginx to version v1.12.1, addressing multiple critical vulnerabilities including CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, CVE-2025-24513, and CVE-2025-24514 as detailed in the ingress-nginx release notes: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1 Important Notes: - Fixing CVE-2025-1974 required disabling validation of the generated NGINX configuration during validation of Ingress resources. Invalid Ingress resources may stop the NGINX configuration from being updated. - Recommended mitigations include enabling annotation validation and disabling snippet annotations. Alongside this upgrade, the `ingress_nginx_kube_webhook_certgen_image_tag` has been updated to v1.5.2 for compatibility, based on: https://github.com/kubernetes/ingress-nginx/pull/13066 Changelog: - Updated ingress-nginx version to v1.12.1 in Kubespray. - Updated `ingress_nginx_kube_webhook_certgen_image_tag` in `roles/kubespray-defaults/defaults/main/download.yml` to v1.5.2. Fixes: https://github.com/kubernetes-sigs/kubespray/issues/12073 --- README.md | 2 +- roles/kubespray-defaults/defaults/main/download.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7cefcbcdd..769efa5b2 100644 --- a/README.md +++ b/README.md @@ -129,7 +129,7 @@ Note: - Application - [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3 - [coredns](https://github.com/coredns/coredns) 1.11.3 - - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.12.0 + - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.12.1 - [argocd](https://argoproj.github.io/) 2.14.5 - [helm](https://helm.sh/) 3.16.4 - [metallb](https://metallb.universe.tf/) 0.13.9 diff --git a/roles/kubespray-defaults/defaults/main/download.yml b/roles/kubespray-defaults/defaults/main/download.yml index d22768e05..67d3c5165 100644 --- a/roles/kubespray-defaults/defaults/main/download.yml +++ b/roles/kubespray-defaults/defaults/main/download.yml @@ -323,13 +323,13 @@ rbd_provisioner_image_tag: "v{{ rbd_provisioner_version }}" local_path_provisioner_version: "0.0.24" local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner" local_path_provisioner_image_tag: "v{{ local_path_provisioner_version }}" -ingress_nginx_version: "1.12.0" +ingress_nginx_version: "1.12.1" ingress_nginx_controller_image_repo: "{{ kube_image_repo }}/ingress-nginx/controller" ingress_nginx_opentelemetry_image_repo: "{{ kube_image_repo }}/ingress-nginx/opentelemetry" ingress_nginx_controller_image_tag: "v{{ ingress_nginx_version }}" ingress_nginx_opentelemetry_image_tag: "v20230721-3e2062ee5" ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-nginx/kube-webhook-certgen" -ingress_nginx_kube_webhook_certgen_image_tag: "v1.5.0" +ingress_nginx_kube_webhook_certgen_image_tag: "v1.5.2" alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller" alb_ingress_image_tag: "v1.1.9" cert_manager_version: "1.15.3"