Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: disallow-ingress-nginx-custom-snippetsannotations:policies.kyverno.io/title: Disallow Custom Snippetspolicies.kyverno.io/category: Security, NGINX Ingresspolicies.kyverno.io/subject: ConfigMap, Ingresspolicies.kyverno.io/minversion: 1.6.0kyverno.io/kyverno-version: 1.6.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/description: "Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837"spec:validationFailureAction: Enforcerules:- name: check-config-mapmatch:any:- resources:kinds:- ConfigMapvalidate:message: ingress-nginx allow-snippet-annotations must be set to falsepattern:"=(data)":"=(allow-snippet-annotations)": "false"- name: check-ingress-annotationsmatch:any:- resources:kinds:- networking.k8s.io/v1/Ingressvalidate:message: ingress-nginx custom snippets are not allowedpattern:metadata:"=(annotations)":X(*-snippet): "?*"
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.
This policy ensures that the name of the ApplicationSet is the same value provided in the project.