Merge pull request #3250 from bestpala/master

update KubeSphere Gateway component (ingress-nginx)

content/en/news/KubeSphere Gateway Component (ingress-nginx) Security-en.md

@@ -0,0 +1,239 @@
+---
+title: 'KubeSphere Gateway Component (ingress-nginx) Security Vulnerability Announcement'
+tag: 'Product News'
+keyword: 'open source, Kubernetes, KubeSphere,Ingress-Nginx Controller, Security Vulnerability'
+description: 'This article summarizes critical security vulnerabilities in the KubeSphere Gateway component (ingress-nginx) and provides remediation suggestions.'
+createTime: '2025-4-3'
+author: 'KubeSphere'
+image: 'https://pek3b.qingstor.com/kubesphere-community/images/ingress-nginx-en-2025.png'
+---
+
+Recently, multiple critical vulnerabilities were discovered in the Ingress-Nginx controller maintained by Kubernetes, including privilege escalation, information disclosure, security bypass, and directory traversal issues. These vulnerabilities affect multiple versions of KubeSphere and KSE. Attackers could exploit these vulnerabilities to execute arbitrary code, access sensitive information, or even fully control the cluster without authorization.
+
+Given the severity of these vulnerabilities, it is strongly recommended that affected users take immediate action to ensure the security of their clusters.
+
+## 1. Vulnerability Overview
+
+### Affected Versions:
+- All versions of KubeSphere & KSE v3.x
+- All versions of KubeSphere & KSE v4.1.x
+
+### Vulnerability Severity: Critical
+### Vulnerability Types:
+Privilege Escalation, Information Disclosure, Security Bypass, Directory Traversal
+
+### Summary of Related Vulnerabilities:
+
+| Vulnerability ID    | Type       | CVSS Score | Summary                                                | Details    |
+|---------------------|------------|------------|--------------------------------------------------------|------------|
+| CVE-2025-1097       | Configuration Injection | 8.8 (Critical) | Malicious configuration injection via `auth-tls-match-cn` annotation, leading to arbitrary code execution and information disclosure | [Official Link](https://github.com/kubernetes/kubernetes/issues/131007) |
+| CVE-2025-24514      | Configuration Injection | 8.8 (Critical) | Malicious configuration injection via `auth-url` annotation, leading to arbitrary code execution and information disclosure | [Official Link](https://github.com/kubernetes/kubernetes/issues/131006) |
+| CVE-2025-24513      | Directory Traversal     | 4.8 (Moderate) | File path traversal in Admission Controller, potentially leading to denial of service and information disclosure | [Official Link](https://github.com/kubernetes/kubernetes/issues/131005)|
+| CVE-2025-1974       | Remote Code Execution    | 9.8 (Critical) | Unauthorized remote code execution vulnerability over Pod network, potentially allowing full cluster control | [Official Link](https://github.com/kubernetes/kubernetes/issues/131009)|
+| CVE-2025-1098       | Configuration Injection | 8.8 (Critical) | Malicious configuration injection via `mirror-target` and `mirror-host` annotations, leading to arbitrary code execution and information disclosure | [Official Link](https://github.com/kubernetes/kubernetes/issues/131008) |
+
+## 2. Vulnerability Impact Analysis
+
+These vulnerabilities primarily impact the system in the following ways:
+- **Risk of Code Execution**: CVE-2025-1097, CVE-2025-24514, CVE-2025-1098, and CVE-2025-1974 may allow arbitrary code execution within the ingress-nginx controller context.
+- **Information Disclosure**: By default, the ingress-nginx controller has access to all namespaces' Secrets within the cluster, potentially exposing sensitive credentials.
+- **Unauthorized Access**: Particularly with CVE-2025-1974, attackers with access to the Pod network can gain cluster control without authentication, with a CVSS score of 9.8 (Critical).
+- **Mitigation Condition**: For CVE-2025-24514, if the `enable-annotation-validation` parameter is enabled (default from v1.12.0), the system is not affected by this vulnerability.
+
+## 3. How to Verify if You Are Affected
+
+Please follow the steps below to check if your system is impacted:
+
+**Confirm if ingress-nginx is in use:**
+
+```
+kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx
+```
+
+If the command returns results, you are using ingress-nginx.
+
+**Check the installed ingress-nginx version:**
+`kubectl exec -it -n ingress-nginx deploy/ingress-nginx-controller -- /nginx-ingress-controller --version`
+
+
+Affected versions:
+- `< v1.11.0`
+- `v1.11.0 - v1.11.4`
+- `v1.12.0`
+
+**Note**: If you are using an affected version, immediately follow the solutions or mitigations provided in this document.
+
+## 4. Solutions
+
+### 1. Upgrade (Recommended by Nginx Community)
+
+Upgrade to one of the following secure versions:
+- v1.11.5
+- v1.12.1 or higher
+
+### 2. Upgrade Fix (KubeSphere Gateway)
+
+**For KS/KSE v4.1.3, follow the steps below to upgrade the Gateway.**
+
+- **Before KS/KSE v4.1.3**: First, upgrade to v4.1.3.
+- **Upgrade KubeSphere Gateway to v1.0.4** (Ingress-Nginx controller version v1.12.1).
+
+For the upgrade method of Gateway extension components, refer to the [Gateway Upgrade Guide](https://dev.to/palapala/upgrade-gateway-to-v104-fie).
+
+### 3. Temporary Mitigations
+
+If an immediate upgrade is not possible, apply the following temporary mitigations:
+
+**CVE-2025-1097 Mitigation**
+- Check and remove any `auth-tls-match-cn` annotation in all Ingress resources:
+```
+
+# Check
+kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_TLS_MATCH_CN:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-tls-match-cn'
+
+# Remove
+kubectl annotate ingress -n <namespace> <IngressName> nginx.ingress.kubernetes.io/auth-tls-match-cn-
+```
+
+**CVE-2025-24514 Mitigation**
+- Check and remove any `auth-url` annotation in all Ingress resources:
+
+```
+# Check
+kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_URL:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-url'
+
+# Remove
+kubectl annotate ingress -n <namespace> <IngressName> nginx.ingress.kubernetes.io/auth-url-
+```
+
+- Or enable the `enable-annotation-validation` parameter (enabled by default since v1.12.0, but needs manual configuration in older versions):
+
+
+```
+# Check if annotation validation is enabled
+kubectl get deployment -n ingress-nginx ingress-nginx-controller -o yaml | grep enable-annotation-validation
+
+# If not enabled, edit the deployment to add the parameter
+kubectl edit deployment -n ingress-nginx ingress-nginx-controller
+# Add --enable-annotation-validation=true
+# Save, and the controller will restart automatically
+```
+
+
+**CVE-2025-24513 and CVE-2025-1974 Mitigation**
+
+KubeSphere Gateway does not enable Admission Controller by default. Use the following methods to check whether your gateway has enabled the Admission Controller.
+
+**Check all releases:**
+
+
+`helm list -n A | grep kubesphere-router`
+
+**Check if Admission Controller is enabled in any release:**
+
+`helm get values [RELEASE_NAME] -n [RELEASE_NAMESPACE]`
+
+
+If `controller.admissionWebhooks.enabled` is true, immediately contact QingCloud technical support for resolution.
+
+If you installed ingress-nginx manually, use the following method to check and resolve the issue.
+
+- Disable Admission Controller (Note: This is a temporary mitigation. If upgraded to secure versions v1.11.5 or v1.12.1, you do not need to disable it):
+
+**If using Helm to install ingress-nginx:**
+
+
+
+```
+# Reinstall with Helm parameters to disable admission webhook
+helm upgrade [RELEASE_NAME] ingress-nginx/ingress-nginx \
+  --set controller.admissionWebhooks.enabled=false \
+  -n ingress-nginx
+```
+
+**If manually installing ingress-nginx:**
+
+
+```
+# Method 1: Delete ValidatingWebhookConfiguration
+kubectl delete validatingwebhookconfigurations ingress-nginx-admission
+
+# Method 2: Edit Deployment or DaemonSet to remove --validating-webhook parameter
+kubectl edit deployment -n ingress-nginx ingress-nginx-controller
+# Find the containers.args section and delete the --validating-webhook related lines
+```
+
+**Important**: Upgrading to a secure version (v1.11.5, v1.12.1, or higher) is the complete fix for all vulnerabilities. Disabling Admission Controller is only a temporary measure when an upgrade is not possible. Keep Admission Controller enabled after upgrading to ensure proper functionality.
+
+**CVE-2025-1098 Mitigation**
+- Check and remove any `mirror-target` and `mirror-host` annotations in all Ingress resources:
+
+
+
+```
+# Check
+kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,MIRROR_TARGET:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-target,MIRROR_HOST:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-host'
+
+# Remove
+kubectl annotate ingress -n <namespace> <IngressName> nginx.ingress.kubernetes.io/mirror-target- kubectl annotate ingress -n <namespace> <IngressName> nginx.ingress.kubernetes.io/mirror-host-
+
+```
+
+## 5. Detection Methods
+
+### Detect Suspicious Configurations and Activities
+Use the following commands to check for suspicious configurations or activities:
+
+1. Check for potentially exploited `auth-tls-match-cn` annotations (CVE-2025-1097):
+
+`kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_TLS_MATCH_CN:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-tls-match-cn'`
+
+- Check for suspicious content, especially annotations with special characters such as `#`, `}}`, newline characters, etc.
+
+2. Check for potentially exploited `auth-url` annotations (CVE-2025-24514):
+
+`kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_URL:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-url'`
+
+- Check for suspicious content, especially URLs containing `#;` or newline characters.
+
+ 3. Check if Admission Controller is enabled (relevant for CVE-2025-24513 and CVE-2025-1974):
+
+`kubectl get validatingwebhookconfigurations -l app.kubernetes.io/name=ingress-nginx`
+
+- If results return, Admission Controller is enabled, which could pose a risk of attack.
+
+4. Check for potentially exploited `mirror-target` or `mirror-host` annotations (CVE-2025-1098):
+
+`kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,MIRROR_TARGET:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-target,MIRROR_HOST:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-host'`
+
+-  Check for suspicious content.
+
+5. Check Pod logs for suspicious activities:
+
+`kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx --tail=1000 | grep -E "error|warn|critical|suspicious|unauthorized"`
+
+
+- If suspicious configurations or activities are detected, isolate affected resources immediately and contact the security team for further analysis.
+
+## 6. Security Best Practices
+- Implement strict gateway access control.
+- Configure gateway routing isolation policies.
+- Enable TLS.
+- Restrict Ingress resource access.
+- Enable audit logging and monitoring.
+- Implement RBAC with least privilege.
+- Regularly check and upgrade the ingress-nginx controller.
+- Ensure Admission Controller is not exposed externally.
+- Implement network policies to limit Pod network communication.
+
+## 7. Technical Support
+
+If evidence of exploitation is found or technical support is needed, please contact:
+
+- KubeSphere Security Team: security@kubesphere.io
+- GitHub Issues: [KubeSphere GitHub Issues](https://github.com/kubesphere/kubesphere/issues)
+
+## 8. Reference Information
+- [Ingress-Nginx Upgrade Documentation](https://kubernetes.github.io/ingress-nginx/deploy/upgrade/)
+- [Wiz Research: IngressNightmare Vulnerability Analysis](https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities)
+- [Kubernetes Official Blog: Introduction to CVE-2025-1974](https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/)

content/zh/news/KubeSphere Gateway Component (ingress-nginx) Security-zh.md

@@ -0,0 +1,229 @@
+---
+title: 'KubeSphere 网关组件（ingress-nginx）安全漏洞公告'
+tag: '产品动态'
+keyword: '社区, 安全, KubeSphere, 网关, 权限控制'
+description: '近期，Kubernetes 官方维护的 Ingress-Nginx 控制器被发现存在多个高危漏洞，包括权限提升、信息泄露、安全绕过和目录遍历等问题。'
+createTime: '2025-4-3'
+author: 'KubeSphere'
+image: 'https://pek3b.qingstor.com/kubesphere-community/images/ingress-nginx-zh-2025.png'
+---
+
+近期，Kubernetes 官方维护的 Ingress-Nginx 控制器被发现存在多个高危漏洞，包括权限提升、信息泄露、安全绕过和目录遍历等问题。这些漏洞影响了 KubeSphere 和 KSE 的多个版本，攻击者利用这些漏洞，可能在未经授权的情况下执行任意代码、访问敏感信息，甚至完全控制集群。
+
+鉴于这些漏洞的严重性，建议受影响的用户立即采取措施，确保集群安全。
+
+# KubeSphere 网关组件（ingress-nginx）安全漏洞公告
+
+## 1. 漏洞概述
+
+### 影响版本：
+- KubeSphere & KSE v3.x 所有版本
+- KubeSphere & KSE v4.1.x 所有版本
+
+### 漏洞等级：严重
+### 漏洞类型：
+权限提升、信息泄露、安全绕过、目录遍历
+
+### 相关漏洞一览：
+
+| 漏洞编号         | 类型     | CVSS评分 | 简述                                           | 详细信息     |
+|------------------|----------|----------|------------------------------------------------|--------------|
+| CVE-2025-1097    | 配置注入 | 8.8（高危） | 通过 `auth-tls-match-cn` 注解注入恶意配置，可导致任意代码执行和信息泄露 | [官方链接](https://github.com/kubernetes/kubernetes/issues/131007) |
+| CVE-2025-24514   | 配置注入 | 8.8（高危） | 通过 `auth-url` 注解注入恶意配置，可导致任意代码执行和信息泄露 | [官方链接](https://github.com/kubernetes/kubernetes/issues/131006) |
+| CVE-2025-24513   | 目录遍历 | 4.8（中危） | Admission Controller 中的文件路径遍历，可能导致拒绝服务和信息泄露 | [官方链接](https://github.com/kubernetes/kubernetes/issues/131005)|
+| CVE-2025-1974    | 远程代码执行 | 9.8（严重） | Pod网络可达的未授权远程代码执行漏洞，可导致完全控制集群 | [官方链接](https://github.com/kubernetes/kubernetes/issues/131009)|
+| CVE-2025-1098    | 配置注入 | 8.8（高危） | 通过`mirror-target`和`mirror-host`注解注入恶意配置，可导致任意代码执行和信息泄露 | [官方链接](https://github.com/kubernetes/kubernetes/issues/131008) |
+
+## 2. 漏洞影响分析
+
+这些漏洞主要通过以下方式影响系统：
+- **代码执行风险**：CVE-2025-1097、CVE-2025-24514、CVE-2025-1098 和 CVE-2025-1974 都可能导致在 ingress-nginx 控制器上下文中执行任意代码。
+- **信息泄露**：由于默认情况下，ingress-nginx 控制器可访问集群内所有命名空间中的 Secrets，这可能导致敏感凭证泄露。
+- **未授权访问**：特别是 CVE-2025-1974，任何能够访问 Pod 网络的攻击者无需认证即可获取集群控制权，CVSS 评分高达 9.8（严重）。
+- **缓解条件**：对于 CVE-2025-24514，如果已启用 `enable-annotation-validation` 参数（v1.12.0 起默认启用），则不受该漏洞影响。
+
+
+## 3. 验证是否受影响
+请执行以下步骤检查您的系统是否受影响：
+
+ **确认是否使用 ingress-nginx 组件：**
+
+
+`kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx`
+
+如果命令返回结果，表明您正在使用 ingress-nginx。
+
+ **检查已安装的 ingress-nginx 版本：**
+
+`kubectl exec -it -n ingress-nginx deploy/ingress-nginx-controller -- /nginx-ingress-controller --version`
+
+受影响版本：
+
+- `< v1.11.0`
+- `v1.11.0 - v1.11.4`
+- `v1.12.0`
+
+**注意：** 如果您使用的是受影响版本，请立即采取本文档中的解决方案或缓解措施。
+
+## 4. 解决方案
+### 1. 升级（nginx 社区推荐方案）
+升级至以下安全版本之一：
+- v1.11.5
+- v1.12.1或更高版本
+
+### 2. 升级修复（KubeSphere 产品中的网关）
+
+**KS/KSE v4.1.3 参考下方步骤升级网关。**
+
+- **v4.1.3 之前的 KS/KSE：** 请先升级至 v4.1.3。
+
+- **将Kubesphere 网关升级到 v1.0.4 版本**（Ingress-Nginx controller 版本 v1.12.1）。
+
+**Gateway 扩展组件升级方法可参考：**[Gateway升级指南](https://ask.kubesphere.com.cn/forum/d/24664-sheng-ji-gateway-zhi-v104) 
+
+### 3. 临时缓解措施
+如无法立即升级，可执行以下临时缓解措施：
+
+**CVE-2025-1097 缓解措施**
+- 检查并移除所有 Ingress 中的 `auth-tls-match-cn `注解：
+
+```
+# 检查
+kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_TLS_MATCH_CN:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-tls-match-cn'
+
+# 移除
+kubectl annotate ingress -n <命名空间> <Ingress名称> nginx.ingress.kubernetes.io/auth-tls-match-cn-
+```
+
+
+
+**CVE-2025-24514 缓解措施**
+检查并移除所有 Ingress 中的 `auth-url` 注解：
+
+```
+# 检查
+kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_URL:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-url'
+
+# 移除
+kubectl annotate ingress -n <命名空间> <Ingress名称> nginx.ingress.kubernetes.io/auth-url-
+```
+
+
+- 或启用 `enable-annotation-validation` 参数（此参数在 v1.12.0 起默认启用，但低版本需手动配置）：
+
+```
+# 检查是否启用了注解验证功能
+kubectl get deployment -n ingress-nginx ingress-nginx-controller -o yaml | grep enable-annotation-validation
+
+# 如未启用，编辑 deployment 加入参数
+kubectl edit deployment -n ingress-nginx ingress-nginx-controller
+# 添加 --enable-annotation-validation=true
+# 保存后控制器会自动重启
+```
+
+
+**CVE-2025-24513 和 CVE-2025-1974 缓解措施**
+
+KubeSphere 网关默认不开启 Admission Controller，通过以下方法检查您的网关是否开启了 Admission Controller。
+
+**检查所有网关的 release**
+
+`helm list -n A | grep kubesphere-router`
+
+**查看所有 release 是否开启了 Admission Controller**
+
+`helm get values [RELEASE_NAME] -n [RELEASE_NAMESPACE]`
+
+如果有 `controller.admissionWebhooks.enabled` 为 true，请立即联系青云技术支持人员为您解决。
+
+如果您自行安装了 ingress-nginx，可使用以下方法检查和解决。
+
+- 禁用 Admission Controller（注意：这仅作为临时缓解措施，如果已升级到安全版本v1.11.5或v1.12.1，则无需禁用）：
+
+**如果使用Helm安装ingress-nginx：**
+
+```
+# 重新安装，设置Helm参数禁用admission webhook
+helm upgrade [RELEASE_NAME] ingress-nginx/ingress-nginx \
+  --set controller.admissionWebhooks.enabled=false \
+  -n ingress-nginx
+```
+**如果手动安装ingress-nginx：**
+
+```
+# 方法1：删除ValidatingWebhookConfiguration
+kubectl delete validatingwebhookconfigurations ingress-nginx-admission
+
+# 方法2：编辑Deployment或DaemonSet，移除--validating-webhook参数
+kubectl edit deployment -n ingress-nginx ingress-nginx-controller
+# 找到containers.args部分，删除--validating-webhook相关行
+```
+**重要提示：** 升级到安全版本（v1.11.5、v1.12.1或更高版本）是解决所有漏洞的完整修复方案。禁用Admission Controller仅是在无法立即升级时的临时措施。升级后应保持Admission Controller启用，以确保正常功能。
+
+**CVE-2025-1098 缓解措施**
+- 检查并移除所有 Ingress 中的 `mirror-target` 和 `mirror-host` 注解：
+
+```
+# 检查
+kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,MIRROR_TARGET:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-target,MIRROR_HOST:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-host'
+
+# 移除
+kubectl annotate ingress -n <命名空间> <Ingress名称> nginx.ingress.kubernetes.io/mirror-target-
+kubectl annotate ingress -n <命名空间> <Ingress名称> nginx.ingress.kubernetes.io/mirror-host-
+```
+
+## 5. 检测方法
+### 可疑配置和活动检测
+使用以下命令检查可能被利用的配置或可疑活动：
+
+ 1. 检查可能被用于攻击的 `auth-tls-match-cn` 注解（CVE-2025-1097）：
+
+`kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_TLS_MATCH_CN:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-tls-match-cn'`
+
+-  检查返回结果中是否有可疑内容，特别注意包含特殊字符如 `#`、`}}`、换行符等的注解值。
+
+ 2. 检查可能被用于攻击的 `auth-url` 注解（CVE-2025-24514）：
+
+`kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_URL:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-url'`
+  - 检查返回结果中是否有可疑内容，特别注意包含 #; 或换行符的URL。
+
+ 3. 检查 Admission Controller 是否开启，这与 CVE-2025-24513 和 CVE-2025-1974 相关：
+
+`kubectl get validatingwebhookconfigurations -l app.kubernetes.io/name=ingress-nginx`
+- 如果返回结果，表示 Admission Controller 已开启，可能存在被攻击的风险。
+
+4. 检查可能被用于攻击的` mirror-target` 或 `mirror-host` 注解（CVE-2025-1098）：
+
+`kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,MIRROR_TARGET:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-target,MIRROR_HOST:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-host'`
+
+- 检查返回结果中是否有可疑内容。
+
+5. 检查 Pod 日志中是否有可疑活动：
+
+`kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx --tail=1000 | grep -E "error|warn|critical|suspicious|unauthorized"`
+
+- 如果发现可疑配置或活动，请立即隔离受影响的资源并联系安全团队进行进一步分析。
+
+## 6. 安全最佳实践
+- 实施严格的网关访问控制
+- 配置网关路由隔离策略
+- 启用 TLS
+- 限制 Ingress 资源访问权限
+- 启用审计日志监控
+- 实施 RBAC 最小权限原则
+- 定期检查和升级 ingress-nginx 控制器
+- 确保admission控制器不对外暴露
+- 实施网络策略限制Pod网络通信
+
+## 7. 技术支持
+
+如发现漏洞利用证据或需要技术支持，请联系：
+
+- KubeSphere 安全团队：security@kubesphere.io
+- GitHub Issues：[KubeSphere GitHub Issues](https://github.com/kubesphere/kubesphere/issues)
+
+
+## 8. 参考信息
+- [ingress-nginx 升级文档](https://kubernetes.github.io/ingress-nginx/deploy/upgrade/) 
+- [Wiz Research: IngressNightmare漏洞分析](https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities)
+- [Kubernetes 官方博客: CVE-2025-1974简介](https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/)