https://rancher.com/ logo
Join Slack
Powered by
So, as you may know, nginx-ingress just had 4 vuln...
# rke2
p
So, as you may know, nginx-ingress just had 4 vulnerabilities patched, one of them a 9.8 CVE. I'm now looking at upgrading rke2-nginx-ingress in my rke2 cluster. The version is set in the /var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx.yaml file I thought it would be a bit simple to just change the "helm.cattle.io/chart-url:" annotation to a newer one. But when I restart rke2-server, the url is overwritten with the old one. I assume either rke2 is doing that (in which case my only choice is upgrading rke2), or, since this is an HA cluster, that the node is "syncing" with the other 2 nodes.
Ah, checked the 1.32 release logs.
• Bump ingress-nginx to v1.12.0-hardened6 (#7773)
So it makes sense that I can't just manually change the version, and instead have to upgrade rke2 entirely. Does anyone know, given this says "hardened6", whether it is still affected by the vulnerability which otherwise affects 1.12.0?
b
Looks like vulnerable and upgrade available soon https://github.com/rancher/rke2/issues/7953#issuecomment-2749871965
p
Alright alright, thank you! I guess, though, that Harvester will be another big job 😓
b
Yeah... Off to disable webhook admissions in both!
p
And unless I'm using nuclei wrong, it seems to be fine? I ran it against both the public IP for my Harvester UI, and the local IP for the Harvester control plane
b
As it's type clusterIP, not sure if it is available from outside the cluster. Hopefully SUSE will publish an advisory soon to clarify
p
Yep so either you would have to manually expose it. Or you run a compromised pod without segmenting it properly
i
ClusterIP is not reachable from "outside", but from inside the cluster. Any pod in the same namespace can talk to it. Also, if a networkpolicy is in place, pods in other namespaces authorized to do so can talk to the admission controler. Does anyone know, if we can just remove the service? Then it would not be accessible from other PODs.
p
Uhm, I think you should disable the admission controller outright. In case you delete the svc but some part tries talking to it and fails because of that
Might be achievable with a helmchartconfig placed in the /var/lib/rancher/rke2/server/manifests/ folder
i
@powerful-easter-15334 Just found out, that the svc should not be deleted... So no easy fix. I see the patch is already released here https://github.com/rancher/ingress-nginx/releases/tag/v1.12.1-hardened1 and hopefully it will make to into the next rke2 patch releases
p
Cool, thank you!
My rke2 cluster is safe, runs literally one "outside" app (being rancher lol)
m
if you are running rke2 with ingress-nginx addon, to mitigate, you will create/edit the helmchartconfig crd and disable the admission controller.
Copy code
---
apiVersion: <http://helm.cattle.io/v1|helm.cattle.io/v1>
kind: HelmChartConfig
metadata:
  name: rke2-ingress-nginx
  namespace: kube-system
spec:
  valuesContent: |-
    controller:
      admissionWebhooks:
        enabled: false
Until the patch release is out and you can upgrade rke2.
p
Right, yeah, makes sense
Theoretically can I not use a helmchartconfig to change the URL of the chart and point to 1.12.1?
m
Don't think so, it is bundled with the version of rke2 you are on.
You can always try, but if it breaks, not sure if anyone can help
p
Yeah no, you're probably right. Unless you change the image which is used... Eh, no need to complicate my life that much
👍 1
2 Views
Open in Slack
PreviousNext
Powered by