Log4Shell Mitigation

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: log4shell-mitigation
 5  annotations:
 6    policies.kyverno.io/title: Log4Shell Mitigation
 7    policies.kyverno.io/subject: Pod
 8    kyverno.io/kyverno-version: 1.6.2
 9    policies.kyverno.io/minversion: 1.6.0
10    kyverno.io/kubernetes-version: "1.23"
11    policies.kyverno.io/category: Sample
12    policies.kyverno.io/description: >-
13      In response to CVE-2021-44228 referred to as Log4Shell, a RCE vulnerability in the Log4j library, a
14      partial yet incomplete workaround for versions 2.10 to 2.14.1 of the library is to set the environment
15      variable LOG4J_FORMAT_MSG_NO_LOOKUPS to "true". While this does provide some
16      benefit by limiting exposure, there are still code paths which can exploit
17      this vulnerability. It is highly recommended to upgrade log4j as soon as possible.
18      See https://logging.apache.org/log4j/2.x/security.html for more details.
19      This policy will mutate all initContainers and containers in an
20      incoming Pod to add this environment variable automatically.      
21spec:
22  rules:
23  - name: add-log4shell-mitigation-initcontainers
24    match:
25      any:
26      - resources:
27          kinds:
28          - Pod
29    mutate:
30      patchStrategicMerge:
31        spec:
32          initContainers:
33            - (name): "*"
34              env:
35              - name: LOG4J_FORMAT_MSG_NO_LOOKUPS
36                value: "true"
37  - name: add-log4shell-mitigation-containers
38    match:
39      any:
40      - resources:
41          kinds:
42          - Pod
43    mutate:
44      patchStrategicMerge:
45        spec:
46          containers:
47            - (name): "*"
48              env:
49              - name: LOG4J_FORMAT_MSG_NO_LOOKUPS
50                value: "true"