cluster/kube: bump nginx-ingress-controller, backport openssl 1.1.1k
This fixes CVE-2021-3450 and CVE-2021-3449.
Deployed on prod:
$ kubectl -n nginx-system exec nginx-ingress-controller-5c69c5cb59-2f8v4 -- openssl version
OpenSSL 1.1.1k 25 Mar 2021
Change-Id: I7115fd2367cca7b687c555deb2134b22d19a291a
diff --git a/cluster/kube/k0-nginx-ingress-controller.jsonnet b/cluster/kube/k0-nginx-ingress-controller.jsonnet
new file mode 100644
index 0000000..a3a608e
--- /dev/null
+++ b/cluster/kube/k0-nginx-ingress-controller.jsonnet
@@ -0,0 +1,7 @@
+// Only the NGINX Ingress Controller.
+
+local k0 = (import "k0.libsonnet").k0;
+
+{
+ nginx: k0.cluster.nginx,
+}
diff --git a/cluster/kube/lib/nginx-ingress-controller/Dockerfile b/cluster/kube/lib/nginx-ingress-controller/Dockerfile
new file mode 100644
index 0000000..9555387
--- /dev/null
+++ b/cluster/kube/lib/nginx-ingress-controller/Dockerfile
@@ -0,0 +1,7 @@
+# Temporary bump up to openssl 1.1.1k.
+# TODO(q3k): remove this once 1.1.1k lands in upstream n-i-c.
+
+FROM k8s.gcr.io/ingress-nginx/controller:v0.44.0@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a
+USER root
+RUN apk update && apk upgrade
+USER www-data
diff --git a/cluster/kube/lib/nginx.libsonnet b/cluster/kube/lib/nginx.libsonnet
index 510f851..02422dc 100644
--- a/cluster/kube/lib/nginx.libsonnet
+++ b/cluster/kube/lib/nginx.libsonnet
@@ -8,7 +8,20 @@
local env = self,
local cfg = env.cfg,
cfg:: {
- image: "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0",
+ # Built from nginx-ingress-controller/Dockerfile:
+ #
+ # $ cd cluster/kube/lib/nginx-ingress-controller
+ # $ docker build -t eu.gcr.io/bgpwtf/nginx-ingress-controller:v0.44.0-r1 .
+ # [..]
+ # (2/8) Upgrading libcrypto1.1 (1.1.1i-r0 -> 1.1.1k-r0)
+ # (3/8) Upgrading libssl1.1 (1.1.1i-r0 -> 1.1.1k-r0
+ # [...]
+ # (8/8) Upgrading openssl (1.1.1i-r0 -> 1.1.1k-r0)
+ # $ docker push eu.gcr.io/bgpwtf/nginx-ingress-controller:v0.44.0-r1
+ #
+ # TODO(q3k): unfork this once openssl 1.1.1k lands in upstream
+ # nginx-ingress-controller.
+ image: "eu.gcr.io/bgpwtf/nginx-ingress-controller:v0.44.0-r1",
namespace: "nginx-system",
},
@@ -62,7 +75,7 @@
verbs: ["get", "list", "watch"],
},
{
- apiGroups: ["extensions"],
+ apiGroups: ["extensions", "networking.k8s.io"],
resources: ["ingresses"],
verbs: ["get", "list", "watch"],
},
@@ -72,10 +85,15 @@
verbs: ["create", "patch"],
},
{
- apiGroups: ["extensions"],
+ apiGroups: ["extensions", "networking.k8s.io"],
resources: ["ingresses/status"],
verbs: ["update"],
},
+ {
+ apiGroups: ["extensions", "networking.k8s.io"],
+ resources: ["ingressclasses"],
+ verbs: ["get", "list", "watch"],
+ },
],
},
@@ -102,11 +120,36 @@
rules : [
{
apiGroups: [""],
- resources: ["configmaps", "pods", "secrets", "namespaces"],
+ resources: ["namespaces"],
verbs: ["get"],
},
{
apiGroups: [""],
+ resources: ["configmaps", "pods", "secrets", "endpoints"],
+ verbs: ["get", "list", "watch"],
+ },
+ {
+ apiGroups: [""],
+ resources: ["services"],
+ verbs: ["get", "list", "watch"],
+ },
+ {
+ apiGroups: ["extensions", "networking.k8s.io"],
+ resources: ["ingresses"],
+ verbs: ["get", "list", "watch"],
+ },
+ {
+ apiGroups: ["extensions", "networking.k8s.io"],
+ resources: ["ingresses/status"],
+ verbs: ["update"],
+ },
+ {
+ apiGroups: ["extensions", "networking.k8s.io"],
+ resources: ["ingressclasses"],
+ verbs: ["get", "list", "watch"],
+ },
+ {
+ apiGroups: [""],
resources: ["configmaps"],
resourceNames: ["ingress-controller-leader-nginx"],
verbs: ["get", "update"],
@@ -118,8 +161,8 @@
},
{
apiGroups: [""],
- resources: ["endpoints"],
- verbs: ["get"],
+ resources: ["events"],
+ verbs: ["create", "patch"],
},
],
},
@@ -177,8 +220,18 @@
containers_: {
controller: kube.Container("nginx-ingress-controller") {
image: cfg.image,
+ imagePullPolicy: "IfNotPresent",
+ lifecycle: {
+ preStop: {
+ exec: {
+ command: [ "/wait-shutdown" ],
+ },
+ },
+ },
args: [
"/nginx-ingress-controller",
+ "--election-id=ingress-controller-leader",
+ "--ingress-class=nginx",
"--configmap=%s/%s" % [cfg.namespace, env.maps.configuration.metadata.name],
"--tcp-services-configmap=%s/%s" % [cfg.namespace, env.maps.tcp.metadata.name],
"--udp-services-configmap=%s/%s" % [cfg.namespace, env.maps.udp.metadata.name],
@@ -222,7 +275,7 @@
drop: ["ALL"],
add: ["NET_BIND_SERVICE"],
},
- runAsUser: 33,
+ runAsUser: 101,
},
resources: {
limits: { cpu: "2", memory: "4G" },