important
CVE-2025-1974 (vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) has a score of 9.8 (Critical).
The vulnerability affects specific versions of the RKE2 ingress-nginx controller (v.1.11.4 and earlier, and v1.12.0). All Harvester versions that use this controller (including v1.4.2 and earlier) are therefore affected.
This CVE is fixed in Harvester 1.5.0, 1.4.3 and newer.
A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of secrets accessible to the controller. (Note that in the default installation, the controller can access all secrets cluster-wide.)
You can confirm the version of the RKE2 ingress-nginx pods by running this command on your Harvester cluster:
kubectl -n kube-system get po -l"app.kubernetes.io/name=rke2-ingress-nginx" -ojsonpath='{.items[].spec.containers[].image}'
If the command returns one of the affected versions, disable the rke2-ingress-nginx-admission validating webhook configuration by performing the following steps:
On one of your control plane nodes, use
kubectlto confirm the existence of theHelmChartConfigresource namedrke2-ingress-nginx:$ kubectl -n kube-system get helmchartconfig rke2-ingress-nginx
NAME AGE
rke2-ingress-nginx 14d1hUse
kubectl -n kube-system edit helmchartconfig rke2-ingress-nginxto add the following configurations to the resource:.spec.valuesContent.controller.admissionWebhooks.enabled: false.spec.valuesContent.controller.extraArgs.enable-annotation-validation: true
The following is an example of what the updated
.spec.valuesContentconfiguration along with the default Harvester ingress-nginx configuration should look like:apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
admissionWebhooks:
port: 8444
enabled: false
extraArgs:
enable-annotation-validation: true
default-ssl-certificate: cattle-system/tls-rancher-internal
config:
proxy-body-size: "0"
proxy-request-buffering: "off"
publishService:
pathOverride: kube-system/ingress-exposeExit the
kubectl editcommand execution to save the configuration.Harvester automatically applies the change once the content is saved.
important
The configuration disables the RKE2 ingress-nginx admission webhooks while preserving Harvester's default ingress-nginx configuration.
If the
HelmChartConfigresource contains other custom ingress-nginx configuration, you must retain them when editing the resource.Verify that RKE2 deleted the
rke2-ingress-nginx-admissionvalidating webhook configuration.$ kubectl get validatingwebhookconfiguration rke2-ingress-nginx-admission
Error from server (NotFound): validatingwebhookconfigurations.admissionregistration.k8s.io "rke2-ingress-nginx-admission" not foundVerify that the ingress-nginx pods are restarted successfully.
$ kubectl -n kube-system get po -lapp.kubernetes.io/instance=rke2-ingress-nginx
NAME READY STATUS RESTARTS AGE
rke2-ingress-nginx-controller-g8l49 1/1 Running 0 5s
Once your Harvester cluster receives the RKE2 ingress-nginx patch, you can re-install the rke2-ingress-nginx-admission validating webhook configuration by removing the HelmChartConfig patch.
important
These steps only cover the RKE2 ingress-nginx controller that is managed by Harvester. You must also update other running ingress-nginx controllers. See the References section for more information.