Annotation Validation is enabled even when --enable-annotation-validation=false

[atalakey4work]

What happened:

In helm chart 4.12.0 release changes were made to the command line arguments passed to the ingress controller executable. One of these changes is related to the annotation validation command line argument "--enable-annotation-validation". Prior to release 4.12.0 when ".controller.enableAnnotationValidations" chart value was set to "false", the "--enable-annotation-validation" command line argument was not passed to the ingress controller executable. On release 4.12.0 when ".controller.enableAnnotationValidations" chart value is set to "false", "--enable-annotation-validation=false" command line argument is passed to the ingress controller executable. Unfortunately, this does not seem to disable the annotation validation feature as shown below:

What you expected to happen:

The annotation validation feature should be disabled when ".controller.enableAnnotationValidations" chart value is set to "false".

NGINX Ingress controller version (exec into the pod and run /nginx-ingress-controller --version):

v1.12.0

Kubernetes version (use kubectl version):

v1.30.5

How to reproduce this issue:

1. Install Ingress Nginx Controller via helm chart:
   helm install ingress-nginx ingress-nginx/ingress-nginx --version 4.12.0 --set controller.enableAnnotationValidations=false --set controller.allowSnippetAnnotations=true
2. Apply ingress custom resource with "nginx.ingress.kubernetes.io/server-snippet" annotation. Example ingress below:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example
  namespace: default
  annotations:
    nginx.ingress.kubernetes.io/server-snippet: |-
      proxy_hide_header X-Powered-By;
spec:
  ingressClassName: nginx
  rules:
  - host: example.test
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Gacko]

The warning you are facing is not about annotation validation, it is about annotation risk levels. The default annotation risk level got reduced to High in v1.12.0. Consider setting the annotation-risk-level ConfigMap value back to Critical.

[saiharshitach]

@Gacko quick question here
annotation-risk-level ConfigMap value to Critical
does this mean it will accept all the annotation risk levels without any errors.. even the ones with Critical risk mentioned here ? or it doesnt accept critical annotations

https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations-risk/

lets say if we want to disable this completely and accept all annoataions even the config and server snippets.. Should we just disable the annotation validation to false ?