Kubernetes Nginx Ingress Cve 2025 1974
There is a fairly severe bug here Ingress-nginx CVE-2025-1974
My understanding is that it is a privilege escalation bug within Kubernetes - and given that I work for a very small team where actually I’m the only one with access - I don’t think I’m immediately vulnerable.
But my understanding is limited and I’m a fan of defence in depth so it’s time to upgrade.
Minikube
I first tested locally in Minikube - but I’m a bit unclear how ingresses work in Minikube - just using the ingress-nginx helm chart didn’t work.
When I did this I saw no address on the ingress
kubectl get -A ingresses
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
my-namespace test-cms <none> admin.minikube 80, 443 4d20h
I got my minikube ip address via minikube ip
and added it to /etc/hosts
but got connection refused when I tried to access https://admin.minikube
I tried to find a solution but in the end just installed the ingress addon via
minikube addons enable ingress
After this my ingress worked and I saw an ip address fron my get ingresses
command
I then upgraded the ingress helm chart again
helm upgrade -n ingress-nginx --reuse-values ingress-nginx ingress-nginx/ingress-nginx
This time the kubectl get -A ingresses
lost the ip address again - but the ingress worked and was upgraded.
It’s all a bit of a mess and wasn’t a very reassuring dry run.
Digital Ocean
I installed the ingress originally via their 1-click marketplace
Upgrading as per the instructions at
https://kubernetes.github.io/ingress-nginx/deploy/upgrade/
helm upgrade --reuse-values ingress-nginx ingress-nginx/ingress-nginx
failed with an error as per this issue
Error: UPGRADE FAILED: template: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:60:24: executing “ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml” at <.Values.controller.admissionWebhooks.patchWebhookJob.resources>: nil pointer evaluating interface {}.resources
There seem to be several similar reports and the solution seems to be to drop the “–reuse-values” bit
helm upgrade ingress-nginx ingress-nginx/ingress-nginx
This worked and nothing seems to have broken.
Summary
This was one of those messy days where I wish I had a dedicated OPS team - it seems to have worked in teh end but wasn’t very reassuring.
I’m writing it up so that at least next time I have some notes on what I tried and what happened.