Kubernetes Ingress headers single quotes

Question

I am running into a very strange issue, I cannot set single quotes that are required by Content-Security-Policy. I assume I was running an older version of ingress which only got updated after I disabled and re-enabled it (microk8s).

    nginx.ingress.kubernetes.io/configuration-snippet: |
      add_header Access-Control-Allow-Origin "https://myhost";
      more_set_headers "X-FRAME-OPTIONS: SAMEORIGIN";
      more_set_headers "Content-Security-Policy: default-src 'self' blob:;";

Result:

skipping ingress ...: nginx.ingress.kubernetes.io/configuration-snippet annotation contains invalid word '

I've tried using x2, escaping with \, wrapping everything with single quotes and escaping, nothing worked. I'm grateful if anyone can tell me how to add single quotes to the headers or if I can avoid them and still send the CSP.

EDIT: just to be clear, this configuration used to work on older versions, right now the ingress version is v1.0.5. There is nothing wrong with the syntax or other settings.

Answer 1

Changes has been appeared exactly in 1.0.5 related to sanitizing annotation inputs.

You may want to check CVE-2021-25742: Ingress-nginx custom snippets. I put in bold interested for you part.

annotation-value-word-blocklist defaults are "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',"

Users from mod_security and other features should be aware that some blocked values may be used by those features and must be manually unblocked by the Ingress Administrator.

It seems to me your issue related to mod_security + above blocklist, that contains ' symbol.

For more details please check https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#annotation-value-word-blocklist

In order to fix your issue you should either

• set the value of annotation-value-word-blocklist to an empty string ""

or

• change the value of annotation-value-word-blocklist and remove ' from its list.