I'm new to RKE2 and I'm concerned about a bunch of recent CVEs (highest priority being CVE-2025-1974) in nginx-ingress, since we unfortunately do expose to the internet. I'm looking at the ingress-nginx helm chart here: https://github.com/kubernetes/ingress-nginx/tree/main/charts/ingress-nginx#configuration since it's referred to by https://docs.rke2.io/networking/networking_services#nginx-ingress-controller but I'm not seeing a way to upgrade. Can I get away with doing:

helm upgrade [RELEASE_NAME] [CHART] --install

on the control plane or do I have to do a RKE2 upgrade like here: https://docs.rke2.io/upgrades/manual_upgrade

You're the best Brandon, thanks a ton.

Morning, can I ask you how did you managed to apply the advices there? which of them ( maybe the https://github.com/rancher/rke2/issues/7953#issuecomment-2751856328?) I have some rke2 clusters with rke2-ingress-nginx:4.12.003

Does this mean I can do a manual upgrade now and bring in this fix? https://docs.rke2.io/upgrades/manual_upgrade

To deploy the recommended mitigation, all I had to do is edit existing file

/var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx.yaml

in each of the control nodes (with nano). I added the section:

...  
valuesContent: |-                                                                  
    controller:                                                                      
      admissionWebhooks:                                                             
        enabled: false                                                               
      extraArgs:                                                                     
        enable-annotation-validation: true

at the end of the file. After doing this, all the rke2-ingress pods got re-started automatically, and rke2-ingress-nginx had the expected change.