Disable controller.admissionWebhooks in ingress-nginx in order to mitigate CVE-2025-1974 (!4138) · Merge requests · Sylva-projects / sylva-core

What does this MR do and why?

This MR was raised as a follow-up of the discussions from #2241. It simply disables controller.admissionWebhooks in ingress-nginx, in order to mitigate CVE-2025-1974.

Related reference(s)

Related to #2241.

CI configuration

Below you can choose test deployment variants to run in this MR's CI.

Click to open to CI configuration

Legend:

Icon	Meaning	Available values
☁️	Infra Provider	`capd`, `capo`, `capm3`
🚀	Bootstrap Provider	`kubeadm` (alias `kadm`), `rke2`
🐧	Node OS	`ubuntu`, `suse`
🛠️	Deployment Options	`light-deploy`, `dev-sources`, `ha`, `misc`, `maxsurge-0`
🎬	Pipeline Scenarios	Available scenario list and description

Global config for deployment pipelines

autorun pipelines
allow failure on pipelines
record sylvactl events

Notes:

Enabling autorun will make deployment pipelines to be run automatically without human interaction
Disabling allow failure will make deployment pipelines mandatory for pipeline success.
if both autorun and allow failure are disabled, deployment pipelines will need manual triggering but will be blocking the pipeline

Be aware: after configuration change, pipeline is not triggered automatically. Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.

Disable controller.admissionWebhooks in ingress-nginx in order to mitigate CVE-2025-1974

What does this MR do and why?

Related reference(s)

CI configuration

Global config for deployment pipelines

Merge request reports