top | item 43466828

(no title)

AcidBurn | 11 months ago

Looks like the container images for both versions are now available:

  registry.k8s.io/ingress-nginx/controller:v1.12.1  
  registry.k8s.io/ingress-nginx/controller:v1.11.5

The Helm chart has not been updated yet, but it looks like you can use the new container images by manually specifying the updated image tag in the values file:

  controller:  
    image:  
      tag: "v1.12.1"

discuss

numbsafari|11 months ago

No evidence, but the fact that the "IngressNightmare" PR piece was announced before there were even PRs created to fix this smells like the team at Wiz leaked this before it was really ready.

Whether the scores are legit or not, the fact that this was such a botched disclosure process is not a good look for the Kubernetes project, of which this is a part.

Edit: According to [1], the team at Wiz show a responsible disclosure timeline. Seems like the Kubernetes project's process didn't work so well. If Wiz is accurately reporting what happened in their blog, these fixes (or the plan for them) was available a month ago, despite seemingly not having working PRs until today, after the security announcement?

Again, I really appreciate the work of the team to ship this, but this isn't a good look for the Kubernetes project itself.

[1] https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabili...

AcidBurn|11 months ago

For the sake of completeness I will also mention that the updated Helm chart is now also available:

  ingress-nginx: 4.12.1