Kubernetes Nginx Ingress Cve 2025 1974

Mon Mar 31, 2025 Kubernetes Nginx Helm Security Minikube DigitalOcean

There is a fairly severe bug here Ingress-nginx CVE-2025-1974

My understanding is that it is a privilege escalation bug within Kubernetes - and given that I work for a very small team where actually I’m the only one with access - I don’t think I’m immediately vulnerable.

But my understanding is limited and I’m a fan of defence in depth so it’s time to upgrade.

Minikube

I first tested locally in Minikube - but I’m a bit unclear how ingresses work in Minikube - just using the ingress-nginx helm chart didn’t work.

When I did this I saw no address on the ingress

kubectl get -A ingresses
NAMESPACE      NAME       CLASS    HOSTS            ADDRESS   PORTS     AGE
my-namespace   test-cms   <none>   admin.minikube             80, 443   4d20h

I got my minikube ip address via minikube ip and added it to /etc/hosts

but got connection refused when I tried to access https://admin.minikube

I tried to find a solution but in the end just installed the ingress addon via

minikube addons enable ingress

After this my ingress worked and I saw an ip address fron my get ingresses command

I then upgraded the ingress helm chart again

helm upgrade -n ingress-nginx --reuse-values ingress-nginx ingress-nginx/ingress-nginx

This time the kubectl get -A ingresses lost the ip address again - but the ingress worked and was upgraded.

It’s all a bit of a mess and wasn’t a very reassuring dry run.

Digital Ocean

I installed the ingress originally via their 1-click marketplace

Upgrading as per the instructions at

https://kubernetes.github.io/ingress-nginx/deploy/upgrade/

helm upgrade --reuse-values ingress-nginx ingress-nginx/ingress-nginx

failed with an error as per this issue

Error: UPGRADE FAILED: template: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:60:24: executing “ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml” at <.Values.controller.admissionWebhooks.patchWebhookJob.resources>: nil pointer evaluating interface {}.resources
https://github.com/kubernetes/ingress-nginx/issues/7966

There seem to be several similar reports and the solution seems to be to drop the “–reuse-values” bit

helm upgrade  ingress-nginx ingress-nginx/ingress-nginx

This worked and nothing seems to have broken.

Summary

This was one of those messy days where I wish I had a dedicated OPS team - it seems to have worked in teh end but wasn’t very reassuring.

I’m writing it up so that at least next time I have some notes on what I tried and what happened.