Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: disallow-ingress-nginx-custom-snippetsannotations:policies.kyverno.io/title: Disallow Custom Snippetspolicies.kyverno.io/category: Security, NGINX Ingresspolicies.kyverno.io/subject: ConfigMap, Ingresspolicies.kyverno.io/minversion: 1.6.0kyverno.io/kyverno-version: 1.6.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/description: "Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837"spec:validationFailureAction: Enforcerules:- name: check-config-mapmatch:any:- resources:kinds:- ConfigMapvalidate:message: ingress-nginx allow-snippet-annotations must be set to falsepattern:"=(data)":"=(allow-snippet-annotations)": "false"- name: check-ingress-annotationsmatch:any:- resources:kinds:- networking.k8s.io/v1/Ingressvalidate:message: ingress-nginx custom snippets are not allowedpattern:metadata:"=(annotations)":X(*-snippet): "?*"
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.