Restrict NGINX Ingress path values in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-ingress-paths
 5  annotations:
 6    policies.kyverno.io/title: Restrict NGINX Ingress path values in CEL expressions  
 7    policies.kyverno.io/category: Security, NGINX Ingress in CEL 
 8    policies.kyverno.io/severity: high
 9    policies.kyverno.io/subject: Ingress
10    policies.kyverno.io/minversion: "1.11.0"
11    kyverno.io/kyverno-version: "1.11.0"
12    kyverno.io/kubernetes-version: "1.26-1.27"
13    policies.kyverno.io/description: >-
14      This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values.
15      Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. 
16      Please refer to the CVE for details.
17spec:
18  validationFailureAction: Enforce
19  rules:
20    - name: check-paths
21      match:
22        any:
23        - resources:
24            kinds:
25            - networking.k8s.io/v1/Ingress
26            operations:
27            - CREATE
28            - UPDATE
29      validate:
30        cel:
31          expressions:
32            - expression: >-
33                object.spec.?rules.orValue([]).all(rule, 
34                rule.?http.?paths.orValue([]).all(p, 
35                !p.path.contains('/etc') && !p.path.contains('/var/run/secrets') &&
36                !p.path.contains('/root') && !p.path.contains('/var/run/kubernetes/serviceaccount') &&
37                !p.path.contains('/etc/kubernetes/admin.conf')))
38              message: "spec.rules[].http.paths[].path value is not allowed"