Hi team, Following the recent NGINX vulnerability, we’ve started upgrading our current clusters. However, we have an older RKE2 cluster that we haven’t fully migrated applications from yet, so upgrading it is currently not an option. The cluster is running on version v1.22 and was imported into Rancher, not provisioned through it. I reviewed SUSE’s official workaround here: 🔗 https://www.suse.com/support/kb/doc/?id=000021756#:~:text=Workaround%20for%20CVE%2D2025%2D1974%2C%20CVE%2D2025%2D24513 But I’m a bit unclear on the implementation. On the master node, I found a manifest at:

/var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx.yaml

It has

kind: HelmChart

, not

HelmChartConfig

, so I’m not sure how to apply custom values such as:

yaml

controller:
  allowSnippetAnnotations: false

Additionally, modifying the Ingress app values from the Rancher UI is not allowed—it’s read-only due to the cluster being imported. What’s the correct way to mitigate this vulnerability on an imported RKE2 cluster running v1.22, where the Ingress Helm chart is managed via a HelmChart manifest and not editable from Rancher? Is there a supported workaround for this setup? Thanks in advance!

Not sure if you already looked at this doc? https://docs.rke2.io/helm#customizing-packaged-components-with-helmchartconfig

Thanks for the link, yes I checked the documentation and I think I understood the logic now. As far as I can tell, I should create a new file under: /var/lib/rancher/rke2/server/manifests/ with

kind: HelmChartConfig

, using the same name and namespace as the existing HelmChart (e.g.,

rke2-ingress-nginx

). This file will provide the additional configuration, like disabling snippet annotations, via

valuesContent

. Since this is a production cluster and I haven’t done this kind of change before, I want to be extra cautious. 👉 My question: We have 5 master nodes in this cluster. Do I need to place this

HelmChartConfig

file on all of them, or just one master is enough and it will propagate? Thanks again for the help!

Just one, it will kick off the helm job in the cluster which will update all nginx components