Disallow Custom Snippets in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-ingress-nginx-custom-snippets
 5  annotations:
 6    policies.kyverno.io/title: Disallow Custom Snippets in CEL expressions
 7    policies.kyverno.io/category: Security, NGINX Ingress in CEL 
 8    policies.kyverno.io/subject: ConfigMap, Ingress
 9    policies.kyverno.io/minversion: "1.11.0"
10    kyverno.io/kyverno-version: "1.11.0"
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/description: >-
13      Users that can create or update ingress objects can use the custom snippets 
14      feature to obtain all secrets in the cluster (CVE-2021-25742). This policy 
15      disables allow-snippet-annotations in the ingress-nginx configuration and 
16      blocks *-snippet annotations on an Ingress.
17      See: https://github.com/kubernetes/ingress-nginx/issues/7837
18spec:
19  validationFailureAction: Enforce
20  rules:
21    - name: check-config-map
22      match:
23        any:
24        - resources:
25            kinds:
26            - ConfigMap
27            operations:
28            - CREATE
29            - UPDATE      
30      validate:
31        cel:
32          expressions:
33            - expression: "object.?data[?'allow-snippet-annotations'].orValue('false') == 'false'"
34              message: "ingress-nginx allow-snippet-annotations must be set to false"
35    - name: check-ingress-annotations
36      match:
37        any:
38        - resources:
39            kinds:
40            - networking.k8s.io/v1/Ingress   
41            operations:
42            - CREATE
43            - UPDATE         
44      validate:
45        cel:
46          expressions:
47            - expression: "!object.metadata.?annotations.orValue([]).exists(annotation, annotation.endsWith('-snippet'))"
48              message: "ingress-nginx custom snippets are not allowed"