Restrict NGINX Ingress path values

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-ingress-paths
 5  annotations:
 6    policies.kyverno.io/title: Restrict NGINX Ingress path values 
 7    policies.kyverno.io/category: Security, NGINX Ingress
 8    policies.kyverno.io/severity: high
 9    policies.kyverno.io/subject: Ingress
10    policies.kyverno.io/minversion: "1.6.0"
11    kyverno.io/kyverno-version: "1.6.0"
12    kyverno.io/kubernetes-version: "1.23"
13    policies.kyverno.io/description: >-
14      This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values.
15      Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. 
16      Please refer to the CVE for details.      
17spec:
18  validationFailureAction: enforce
19  rules:
20    - name: check-paths
21      match:
22        any:
23        - resources:
24            kinds:
25            - networking.k8s.io/v1/Ingress
26      validate:
27        message: "spec.rules[].http.paths[].path value is not allowed"
28        deny:
29          conditions:
30            any:
31            - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/etc') }}"
32              operator: AnyIn
33              value: [true]
34            - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/var/run/secrets') }}"
35              operator: AnyIn
36              value: [true]
37            - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/root') }}"
38              operator: AnyIn
39              value: [true]
40            - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/var/run/kubernetes/serviceaccount') }}"
41              operator: AnyIn
42              value: [true]
43            - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/etc/kubernetes/admin.conf') }}"
44              operator: AnyIn
45              value: [true]