Upgrade ingress-nginx to v1.11.5 or 1.12.1

[artntek]

In response to this vulnerability report: https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ - we should upgrade ingress-nginx to v1.11.5 or 1.12.1

Note

Neither the dev or prod clusters are currently vulnerable, because the Validating Admission Controller functionality of ingress-nginx is already disabled, since the helm install options we used included:

--set controller.admissionWebhooks.enabled=false

Double-checking that we don't have a ValidatingWebhookConfiguration called ingress-nginx-admission:

$ kc get ValidatingWebhookConfiguration                                 (☸|prod-k8s:default)
NAME                   WEBHOOKS   AGE
cert-manager-webhook   1          3y147d

However, we're not sure why Peter originally recommended disabling it, and re-enabling it (after we upgrade) "provides important safeguards for your Ingress configurations", so we should consider doing so

Other Info

• We upgraded dev-k8s to ingress-nginx v 1.11.4, which was the newest we could go, on K8s v1.26.
• The announcement above says 1.11.4 is vulnerable, but 1.11.5 is not. However, it's not clear if K8s v1.26 supports upgrade to ingress 1.11.5 (supported versions table).
• We haven't yet upgraded Prod-k8s Kubernetes version, so production ingress is still version 1.0.4
• I don't see helm charts yet for v1.11.4 or 1.12.1 (https://github.com/kubernetes/ingress-nginx/releases), but we could do it without helm, if needed, when the controller-v1.11.5 image is available.
• the comments on CVE-2025-24513: ingress-nginx controller - auth secret file path traversal vulnerability kubernetes/kubernetes#131005 imply they may have announced these a little early.

Useful Background:

• https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities

[artntek]

Also note that ingress-nginx is being replaced with Ingate: kubernetes/ingress-nginx#13002

[artntek]

Upgraded both dev and prod to ingress-nginx chart v4.11.6 (app v1.11.6), and set controller.admissionWebhooks.enabled=true

Note we can't upgrade to chart 4.12.* until we upgrade k8s to 1.28 or higher