All Policies

Disallow Custom Snippets

Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837

Policy Definition

/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml

1apiVersion: kyverno.io/v1 2kind: ClusterPolicy 3metadata: 4 name: disallow-ingress-nginx-custom-snippets 5 annotations: 6 policies.kyverno.io/title: Disallow Custom Snippets 7 policies.kyverno.io/category: Security, NGINX Ingress 8 policies.kyverno.io/subject: ConfigMap, Ingress 9 policies.kyverno.io/minversion: "1.6.0" 10 kyverno.io/kyverno-version: "1.6.0" 11 kyverno.io/kubernetes-version: "1.23" 12 policies.kyverno.io/description: >- 13 Users that can create or update ingress objects can use the custom snippets 14 feature to obtain all secrets in the cluster (CVE-2021-25742). This policy 15 disables allow-snippet-annotations in the ingress-nginx configuration and 16 blocks *-snippet annotations on an Ingress. 17 See: https://github.com/kubernetes/ingress-nginx/issues/7837 18spec: 19 validationFailureAction: Enforce 20 rules: 21 - name: check-config-map 22 match: 23 any: 24 - resources: 25 kinds: 26 - ConfigMap 27 validate: 28 message: "ingress-nginx allow-snippet-annotations must be set to false" 29 pattern: 30 =(data): 31 =(allow-snippet-annotations) : "false" 32 - name: check-ingress-annotations 33 match: 34 any: 35 - resources: 36 kinds: 37 - networking.k8s.io/v1/Ingress 38 validate: 39 message: "ingress-nginx custom snippets are not allowed" 40 pattern: 41 metadata: 42 =(annotations): 43 X(*-snippet): "?*"
yaml