nginx.ingress.kubernetes.io/proxy-cookie-path annotation faulty value breaks controller #14008
Description
What happened:
Someone added an annotation with a wrong value to an ingress, which was added to the nginx.conf and broke the controller:
-------------------------------------------------------------------------------
I1003 10:08:44.206345 7 controller.go:214] "Configuration changes detected, backend reload required"
E1003 10:08:44.481991 7 controller.go:223] Unexpected failure reloading the backend:
-------------------------------------------------------------------------------
Error: exit status 1
2025/10/03 10:08:44 [emerg] 27#27: invalid parameter "/" in /tmp/nginx/nginx-cfg3286676199:2636
nginx: [emerg] invalid parameter "/" in /tmp/nginx/nginx-cfg3286676199:2636
nginx: configuration file /tmp/nginx/nginx-cfg3286676199 test failed
-------------------------------------------------------------------------------
E1003 10:08:44.482057 7 queue.go:131] "requeuing" err=<
-------------------------------------------------------------------------------
Error: exit status 1
2025/10/03 10:08:44 [emerg] 27#27: invalid parameter "/" in /tmp/nginx/nginx-cfg3286676199:2636
nginx: [emerg] invalid parameter "/" in /tmp/nginx/nginx-cfg3286676199:2636
nginx: configuration file /tmp/nginx/nginx-cfg3286676199 test failed
-------------------------------------------------------------------------------
> key="cluster-foundations/cert-manager-v1-webhook-fgcq7"
I1003 10:08:44.482119 7 event.go:377] Event(v1.ObjectReference{Kind:"Pod", Namespace:"cluster-foundations", Name:"ingress-nginx-v4-controller-85b7fdf8bd-9pdn9", UID:"8aa5bbc8-1183-4113-95d4-86905ee85ffd", APIVersion:"v1", ResourceVersion:"152553683", FieldPath:""}): type: 'Warning' reason: 'RELOAD' Error reloading NGINX:
-------------------------------------------------------------------------------
Error: exit status 1
2025/10/03 10:08:44 [emerg] 27#27: invalid parameter "/" in /tmp/nginx/nginx-cfg3286676199:2636
nginx: [emerg] invalid parameter "/" in /tmp/nginx/nginx-cfg3286676199:2636
nginx: configuration file /tmp/nginx/nginx-cfg3286676199 test failed
-------------------------------------------------------------------------------What you expected to happen:
I expect this value to never be allowed in the nginx.conf via the validating webhook.
It applied the config, even though it was wrong. The validating webhook should stop it from happening
NGINX Ingress controller version (exec into the pod and run /nginx-ingress-controller --version):
-------------------------------------------------------------------------------
NGINX Ingress controller
Release: v1.13.2
Build: 11c69a64ce3c5bdfb6782434d9f62296d4b42179
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.27.1
-------------------------------------------------------------------------------
Kubernetes version (use kubectl version):
Client Version: v1.28.3
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.31.5
WARNING: version difference between client (1.28) and server (1.31) exceeds the supported minor version skew of +/-1
Environment:
-
Cloud provider or hardware configuration: Azure AKS
-
OS (e.g. from /etc/os-release): AKSUbuntu-2204gen2containerd-202507.21.0
-
Kernel (e.g.
uname -a): N/A -
Install tools:
Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.
-
Basic cluster related info:
kubectl versionkubectl get nodes -o wide
-
How was the ingress-nginx-controller installed:
- If helm was used then please show output of
helm ls -A | grep -i ingress - If helm was used then please show output of
helm -n <ingresscontrollernamespace> get values <helmreleasename> - If helm was not used, then copy/paste the complete precise command used to install the controller, along with the flags and options used
- if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances
- If helm was used then please show output of
-
Current State of the controller:
kubectl describe ingressclasseskubectl -n <ingresscontrollernamespace> get all -A -o widekubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>
-
Current state of ingress object, if applicable:
kubectl -n <appnamespace> get all,ing -o widekubectl -n <appnamespace> describe ing <ingressname>- If applicable, then, your complete and exact curl/grpcurl command (redacted if required) and the reponse to the curl/grpcurl command with the -v flag
-
Others:
- Any other related information like ;
- copy/paste of the snippet (if applicable)
kubectl describe ...of any custom configmap(s) created and in use- Any other related information that may help
- Any other related information like ;
How to reproduce this issue:
Anything else we need to know: