[invisible]

An issue with discussion: https://github.com/kubernetes/ingress-nginx/issues/7837

The only fix so far is removing the feature.

>According to the publication, multi-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.

Ouch! I guess this means lots of secret/password rotations for k8s admins coming soon. I've always wondered if there are public Kubernetes multi-tenant setups in the wild rather than just ones with admins and developer roles/namespaces.

[erulabs]

For whatever it’s worth my startup began life as a multi tenant kubernetes provider. We have a ton of custom controls - and for example do not allow this “custom snippet” directive at all. We spent a very long time locking down as much of the api surface as possible.

I have war stories up the wazoo - at one point we had 16k random internet users on a single cluster!

[deathanatos]

What's the actual vulnerability?

The issue links to itself for "more details"…

(Also, yeah, it'd be nice if the URL of the OP had just been the Github issue. It is just as informative (or uninformative), and isn't an advertisement…)