Security: Harden socket creation and validate error code input.

[oyiz-michael]

What this PR does / why we need it

This PR hardens ingress-nginx in maintenance mode by addressing security and reliability issues:

Security

• Socket permissions (CWE-732): Control/metrics Unix socket was created with 0777. Tightened to 0660 to restrict access to owner/group.
• Input validation: Harden parsing for HTTP error-code input (trim whitespace, ignore empties, validate numeric values).

Reliability

• Startup robustness: Ensure parent directory exists before socket creation (os.MkdirAll), preventing crashes in minimal container images.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• CVE Report (Scanner found CVE and adding report)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation only

Which issue/s this PR fixes

How Has This Been Tested?

Socket Security Tests:
Assert final socket mode: stat.Mode() & os.ModePerm == 0o660
Startup when parent dir missing → succeeds and creates dir with 0o755
Parent path exists but is file → returns clear error

Input Validation Tests:
Error-code parsing: ["", " ", "abc", "599", "200", "200, 201"] → validated correctly
Whitespace trimming and empty value handling
Malformed input rejection with clear error messages

Unit Tests:
go test ./internal/ingress/metric/collectors -v - Socket collector tests pass
go test ./internal/ingress/annotations/customhttperrors -v - Input validation tests pass with new trimming logic
Security Validation:

Verified 0o660 permissions still allow NGINX master/worker processes (same group) to access socket
Confirmed directory creation uses secure 0o755 permissions via os.MkdirAll
Tested input validation handles empty strings, whitespace, and malformed error codes
Regression Testing:

All existing functionality preserved
No breaking changes to metrics collection or error handling
Socket communication works normally with hardened permissions

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have added unit and/or e2e tests to cover my changes.
• All new and existing tests passed.

[netlify]

✅ Deploy Preview for kubernetes-ingress-nginx canceled.

Name	Link
🔨 Latest commit	7a7f134
🔍 Latest deploy log	https://app.netlify.com/projects/kubernetes-ingress-nginx/deploys/68a0c625f23c2e000815aa45

[k8s-ci-robot]

Welcome @oyiz-michael!

It looks like this is your first PR to kubernetes/ingress-nginx 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/ingress-nginx has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @oyiz-michael. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Gacko]

/triage accepted
/kind cleanup
/priority backlog

[Gacko]

/cherry-pick release-1.13

[Gacko]

/cherry-pick release-1.12

[k8s-infra-cherrypick-robot]

@Gacko: once the present PR merges, I will cherry-pick it on top of release-1.13 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Gacko]

/lgtm

[k8s-infra-cherrypick-robot]

@Gacko: once the present PR merges, I will cherry-pick it on top of release-1.12 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Gacko, oyiz-michael

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Gacko]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Gacko]

/ok-to-test

[k8s-infra-cherrypick-robot]

@Gacko: new pull request created: #13785

In response to this:

/cherry-pick release-1.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-infra-cherrypick-robot]

@Gacko: new pull request created: #13786

In response to this:

/cherry-pick release-1.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[oyiz-michael]

/assign