All Policies

Disallow Custom Snippets

Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837

Policy Definition

/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-ingress-nginx-custom-snippets
 5  annotations:
 6    policies.kyverno.io/title: Disallow Custom Snippets
 7    policies.kyverno.io/category: Security, NGINX Ingress
 8    policies.kyverno.io/subject: ConfigMap, Ingress
 9    policies.kyverno.io/minversion: "1.6.0"
10    kyverno.io/kyverno-version: "1.6.0"
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/description: >-
13      Users that can create or update ingress objects can use the custom snippets 
14      feature to obtain all secrets in the cluster (CVE-2021-25742). This policy 
15      disables allow-snippet-annotations in the ingress-nginx configuration and 
16      blocks *-snippet annotations on an Ingress.
17      See: https://github.com/kubernetes/ingress-nginx/issues/7837      
18spec:
19  validationFailureAction: enforce
20  rules:
21    - name: check-config-map
22      match:
23        any:
24        - resources:
25            kinds:
26            - ConfigMap      
27      validate:
28        message: "ingress-nginx allow-snippet-annotations must be set to false"
29        pattern:
30          =(data):
31            =(allow-snippet-annotations) : "false"
32    - name: check-ingress-annotations
33      match:
34        any:
35        - resources:
36            kinds:
37            - networking.k8s.io/v1/Ingress            
38      validate:
39        message: "ingress-nginx custom snippets are not allowed"
40        pattern:
41          metadata:
42            =(annotations):
43              X(*-snippet): "?*"