Question 98279 in Nginx Question posted in
The official documentation can be found here.

nginx.ingress.kubernetes.io/server-snippet annotation contains invalid word location

I am new to kubernetes and using AWS EKS cluster 1.21. I am trying to write the nginx ingress config for my k8s cluster and blocking some request using server-snippet. My ingress config is below

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: abc-ingress-external
  namespace: backend
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    kubernetes.io/ingress.class: nginx-external
    nginx.ingress.kubernetes.io/server-snippet: |
       location = /ping {
         deny all;
         return 403;
       }
spec:
  rules:
  - host: dev-abc.example.com
    http:
      paths:
      - backend:
          service:
              name: miller
              port:
                number: 80
        path: /
        pathType: Prefix

When I apply this config, I get this error:

for: "ingress.yml": admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: nginx.ingress.kubernetes.io/server-snippet annotation contains invalid word location

I looked into this and got this is something related to annotation-value-word-blocklist. However i don’t know how to resolve this. Any help would be appreciated.

Tags:

2

Answers


  1. 0

    Seems there’s issue using location with some versions. The following was tested successfully on EKS cluster.

    Install basic ingress-nginx on EKS:

    kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/aws/deploy.yaml

    Note: If your cluster version is < 1.21, you need to comment out ipFamilyPolicy and ipFamilies in the service spec.

    Run a http service:

    kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/http-svc.yaml

    Create an ingress for the service:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: http-svc
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/server-snippet: |
       location = /ping {
         deny all;
         return 403;
       }
spec:
  rules:
  - host: test.domain.com
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: http-svc
            port:
              number: 8080

    Return 200 as expected:
    curl -H 'HOST: test.domain.com' http://<get your nlb address from the console>

    Return 200 as expected:
    curl -H 'HOST: test.domain.com' -k https://<get your nlb address from the console>

    Return 403 as expected, the snippet is working:
    curl -H 'HOST: test.domain.com' -k https://<get your nlb address from the console>/ping

    enter image description here

    Use the latest release to avoid the "annotation contains invalid word location" issue.

    Login or Signup to reply.
  2. 0

    Alternatively, replacing nginx.ingress.kubernetes.io/server-snippet by nginx.org/server-snippets fixed the issue for me. See for instance here

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search