Kubernetes Ingress on Microk8s

27/03/25 11:51 Filed in: Systems Administation

There is a CVE (https://nvd.nist.gov/vuln/detail/CVE-2025-1974) pointing out a serious bug in Nginx based Kubernetes Ingress (https://github.com/kubernetes/kubernetes/issues/131009). While the Microk8s crowd get their snaps sorted there is a work around.

The discussion can be found here https://github.com/canonical/microk8s/issues/4964

And the solution

# Confirm config has compromised version (v1.11.2).
grep TAG= /var/snap/microk8s/common/addons/core/addons/ingress/enable

# Make sure the updated version is available.
microk8s ctr image pull registry.k8s.io/ingress-nginx/controller:v1.11.5

# Update config in case ingress gets disabled/enabled.
sed -i -e 's/TAG="v1.11.2"/TAG="v1.11.5"/' /var/snap/microk8s/common/addons/core/addons/ingress/enable

# Confirm running compromised version
microk8s kubectl -n ingress get pod -o yaml -l name=nginx-ingress-microk8s | grep image:

# Update the ingress DaemonSet to the new version.
# This causes the pod to restart.
microk8s kubectl set image --namespace ingress \
    ds/nginx-ingress-microk8s-controller \
    nginx-ingress-microk8s=registry.k8s.io/ingress-nginx/controller:v1.11.5

# Watch for the pods to restart
watch microk8s kubectl -n ingress get all

# Verify running the new version
microk8s kubectl -n ingress get pod -o yaml -l name=nginx-ingress-microk8s | grep image:

Kudos to @johnatswoopsrch,

Tags: Microk8s, CVE

Odds And Ends

An Occassional Blog by a Specialising Non-Specialist

Kubernetes Ingress on Microk8s