All Policies

Restrict NGINX Ingress annotation values

This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go. This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the "annotation-value-word-blocklist" configuration setting is also recommended. Please refer to the CVE for details.

Policy Definition

/nginx-ingress/restrict-annotations/restrict-annotations.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-annotations
 5  annotations:
 6    policies.kyverno.io/title: Restrict NGINX Ingress annotation values 
 7    policies.kyverno.io/category: Security, NGINX Ingress
 8    policies.kyverno.io/severity: high
 9    policies.kyverno.io/subject: Ingress
10    policies.kyverno.io/minversion: "1.6.0"
11    kyverno.io/kyverno-version: "1.6.0"
12    kyverno.io/kubernetes-version: "1.23"
13    policies.kyverno.io/description: >-
14      This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values.
15      See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go.
16      This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the 
17      "annotation-value-word-blocklist" configuration setting is also recommended. 
18      Please refer to the CVE for details. 
19spec:
20  validationFailureAction: Enforce
21  rules:
22    - name: check-ingress
23      match:
24        any:
25        - resources:
26            kinds:
27            - networking.k8s.io/v1/Ingress
28      validate:
29        message: "spec.rules[].http.paths[].path value is not allowed"
30        deny:
31          conditions:
32            any:
33            - key: "{{request.object.metadata.annotations.values(@)[].regex_match('\\s*alias\\s*.*;', @)}}"
34              operator: AnyIn
35              value: [true]
36            - key: "{{request.object.metadata.annotations.values(@)[].regex_match('\\s*root\\s*.*;', @)}}"
37              operator: AnyIn
38              value: [true]    
39            - key: "{{request.object.metadata.annotations.values(@)[].regex_match('/etc/(passwd|shadow|group|nginx|ingress-controller)', @)}}"
40              operator: AnyIn
41              value: [true]     
42            - key: "{{request.object.metadata.annotations.values(@)[].regex_match('/var/run/secrets', @)}}"
43              operator: AnyIn
44              value: [true]  
45            - key: "{{request.object.metadata.annotations.values(@)[].regex_match('.*_by_lua.*', @)}}"
46              operator: AnyIn
47              value: [true]
Create policy issue