Critical Vulnerability in Ingress Nginx
I learned about CVE-2025-1974 on X on Tuesday 25 March 2025. This is a critical vulnerability that allows an unauthenticated attacker to take over an entire cluster through arbitrary code execution in the context of the ingress-nginx controller. The vulnerability allows the attacker to access all Secrets stored in the cluster.
The fix
Ingress nginx is installed via manifest in my clusters, so to update it, I downloaded the latest manifest from the official repo:
curl -LO https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.1/deploy/static/provider/cloud/deploy.yaml
I went through the manifest, comparing it to the one I have, and did a find and replace on all fields that had changed; mostly image tags and a few extra container arguments.
I pushed the changes up to Git but FluxCD couldn’t reconcile (apply the changes) because the upgrade tried to change a job responsible for setting up admission webhook certificates. Kubernetes doesn’t allow job spec changes, causing the deployments to fail.
I resolved this problem by deleting the existing job manually:
kubectl delete job -n ingress-nginx ingress-nginx-admission-create
and after that, FluxCD was able to complete the update.
Conclusion
Updating ingress-nginx was simple; I updated the manifest I had with the latest changes and pushed them to git. Setting up GitOps for my clusters from the start was a good decision.