The nginx.ingress.kubernetes.io/server-snippet annotation functionality is not working properly.

[SY16399]

echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: snippet.example.com
namespace: default
annotations:
nginx.ingress.kubernetes.io/server-snippet: |
set $agentflag 0;
if ($http_user_agent ~* "(Android|IPhone)") {
set $agentflag 1;
}
if ($agentflag = 1) {
return 302 http://www.baidu.com;
}
spec:
rules:
- host: snippet.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: snippet
port:
number: 80
" | kubectl apply -f -

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[longwuyuan]

/remove-kind bug

The information you have provided does not show any problem.
I think you should look at the template of a new bug report and then edit this issue description to answer those questions.

The request you sent, the config of the controller, the config of the ingress, the logs of the controller, the result of the curl request with -i and -v, are some of the example of information that helps a reader get some idea of what problem has to be solved.

[MattiDeGrauwe]

I might have a similar issue, the following snippet is not allowed since 4.12.0

nginx.ingress.kubernetes.io/server-snippet: |
      add_header 'Access-Control-Allow-Origin' $http_origin always;
      add_header 'Access-Control-Allow-Credentials' 'true' always;
      add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Origin, Content-Type, Accept' always;
      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;

ingress-nginx is deployed through the chart and validations have been set to false:

controller:
      enableAnnotationValidations: false

resulting in the following pod arguments:

- args:
        - /nginx-ingress-controller
        - --enable-annotation-validation=false
        - --default-backend-service=$(POD_NAMESPACE)/ingress-nginx-defaultbackend
        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
        - --election-id=ingress-nginx-leader
        - --controller-class=k8s.io/ingress-nginx
        - --ingress-class=nginx
        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
        - --enable-metrics=true
        - --configmap=infra/nginx-ingress-default-configmap
        - --default-ssl-certificate=infra/tools-cert-tls

Most of our ingresses broke since 4.12 due to this snippet (resulting in the following error):

Error from server (BadRequest): error when replacing "/tmp/kubectl-edit-3494057835.yaml": admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: annotation group ServerSnippet contains risky annotation based on ingress configuration

Should I dig deeper or is this a known issue @longwuyuan ?

[longwuyuan]

Can you play with the risk settings

[Gacko]

Snippet annotations have annotation risk level Critical. The highest accepted risk level got lowered to High with v1.12. Please read the release notes for more details.