PREQUEL-2025-0027
Ingress Nginx Prefix Wildcard ErrorLowImpact: 5/10Mitigation: 2/10
Description
The NGINX Ingress Controller rejects an Ingress manifest whose\n`pathType: Prefix` value contains a wildcard (`*`). \nLog excerpt:\n\n```\ningress: default/api prefix path shouldn't contain wildcards\n```\n\nWhen the controller refuses the rule, it omits it from the generated\n`nginx.conf`; clients receive **404 / 502** responses even though the\nmanifest was accepted by the Kubernetes API server. The problem\nappears most often after upgrading to ingress-nginx ≥ 1.8, where\nstricter validation was added.\n
Mitigation
1. **Remove the wildcard** – `/api/*` → `/api/` (Prefix already\n matches `/api/anything`).\n2. **OR switch to regex paths** \n ```yaml\n path: \"/api(/|$)(.*)\"\n pathType: ImplementationSpecific\n ```\n and, if needed, set \n `controller.nginx.ingress.kubernetes.io/use-regex: \"true\"`.\n3. **Lint in CI** – Add `kubectl apply --server-side --validate=true`\n and `kube-linter` to catch bad paths before deployment.\n4. **Controller flag** – As a temporary workaround (not recommended\n long-term) disable validation:\n ```\n --enable-annotation-validation=false\n ```\n on the ingress-nginx Deployment.\n