All Policies
Disallow Custom Snippets
Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837
Policy Definition
/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-ingress-nginx-custom-snippets
5 annotations:
6 policies.kyverno.io/title: Disallow Custom Snippets
7 policies.kyverno.io/category: Security, NGINX Ingress
8 policies.kyverno.io/subject: ConfigMap, Ingress
9 policies.kyverno.io/minversion: "1.6.0"
10 kyverno.io/kyverno-version: "1.6.0"
11 kyverno.io/kubernetes-version: "1.23"
12 policies.kyverno.io/description: >-
13 Users that can create or update ingress objects can use the custom snippets
14 feature to obtain all secrets in the cluster (CVE-2021-25742). This policy
15 disables allow-snippet-annotations in the ingress-nginx configuration and
16 blocks *-snippet annotations on an Ingress.
17 See: https://github.com/kubernetes/ingress-nginx/issues/7837
18spec:
19 validationFailureAction: enforce
20 rules:
21 - name: check-config-map
22 match:
23 any:
24 - resources:
25 kinds:
26 - ConfigMap
27 validate:
28 message: "ingress-nginx allow-snippet-annotations must be set to false"
29 pattern:
30 =(data):
31 =(allow-snippet-annotations) : "false"
32 - name: check-ingress-annotations
33 match:
34 any:
35 - resources:
36 kinds:
37 - networking.k8s.io/v1/Ingress
38 validate:
39 message: "ingress-nginx custom snippets are not allowed"
40 pattern:
41 metadata:
42 =(annotations):
43 X(*-snippet): "?*"