All Policies

Restrict NGINX Ingress annotation values in CEL expressions

This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go. This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the "annotation-value-word-blocklist" configuration setting is also recommended. Please refer to the CVE for details.

Policy Definition

/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-annotations
 5  annotations:
 6    policies.kyverno.io/title: Restrict NGINX Ingress annotation values in CEL expressions 
 7    policies.kyverno.io/category: Security, NGINX Ingress in CEL 
 8    policies.kyverno.io/severity: high
 9    policies.kyverno.io/subject: Ingress
10    policies.kyverno.io/minversion: "1.11.0"
11    kyverno.io/kyverno-version: "1.11.0"
12    kyverno.io/kubernetes-version: "1.26-1.27"
13    policies.kyverno.io/description: >-
14      This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values.
15      See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go.
16      This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the 
17      "annotation-value-word-blocklist" configuration setting is also recommended. 
18      Please refer to the CVE for details. 
19spec:
20  validationFailureAction: Enforce
21  rules:
22    - name: check-ingress
23      match:
24        any:
25        - resources:
26            kinds:
27            - networking.k8s.io/v1/Ingress
28            operations:
29            - CREATE
30            - UPDATE
31      validate:
32        cel:
33          expressions:
34            - expression: >-
35                !has(object.metadata.annotations) ||
36                (
37                  !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches('\\s*alias\\s*.*;')) &&
38                  !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches('\\s*root\\s*.*;')) &&
39                  !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches('/etc/(passwd|shadow|group|nginx|ingress-controller)')) &&
40                  !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches('/var/run/secrets')) &&
41                  !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches('.*_by_lua.*'))
42                )
43              message: "spec.rules[].http.paths[].path value is not allowed"
Create policy issue