Konvoy 1.X uses a deployment called opsportal-landing as a splash screen for users logging into their clusters. This deployment schedules a pod with an NGINX container, and security scans may show that this container is vulnerable to CVE-2021-23017. You can read more about this CVE here:
https://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html
As noted in the link above, in order for this CVE to affect you, you would have to enable the resolver directive in the configuration file, which the ops portal pod / nginx container do not do.
This can be confirmed by inspecting the nginx config file. The configuration file is deployed in the opsportal-landing-conf configmap, which can be obtained by:
kubectl get cm -n kubeaddons opsportal-landing-conf -oyaml
Inspecting the output of that, we find:
nginx.conf: |
worker_processes 1;
error_log /dev/stdout info;
events {
worker_connections 1024;
}
http {
server {
access_log /dev/stdout;
listen 80;
root /usr/share/nginx/html;
location / {
try_files $uri /index.html;
}
location = /index.html {
expires 30s;
}
}
}
Note there is no "resolver" directive. So the exploit documented in the CVE is not possible; nginx is not itself trying to resolve DNS queries so the bug can never be encountered.
Even so, it may not be ideal to get constant alerts about this false positive. You can update the version of nginx in the ops-portal deployment to prevent these alerts via the following command:
kubectl set image deployment/opsportal-landing -n kubeaddons opsportal-landing=nginx:1.21-alpine
This will update the nginx image to one that is not impacted by the CVE.