All Policies

Disallow Custom Snippets

Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837

Policy Definition

/best-practices/nginx-custom-snippets/disallow-custom-snippets.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-ingress-nginx-custom-snippets
 5  annotations:
 6    policies.kyverno.io/title: Disallow Custom Snippets
 7    policies.kyverno.io/category: Best Practices
 8    policies.kyverno.io/subject: ConfigMap, Ingress
 9    policies.kyverno.io/description: >-
10      Users that can create or update ingress objects can use the custom snippets 
11      feature to obtain all secrets in the cluster (CVE-2021-25742). This policy 
12      disables allow-snippet-annotations in the ingress-nginx configuration and 
13      blocks *-snippet annotations on an Ingress.
14      See: https://github.com/kubernetes/ingress-nginx/issues/7837      
15spec:
16  validationFailureAction: enforce
17  rules:
18    - name: check-config-map
19      match:
20        resources:
21          kinds:
22            - ConfigMap      
23      validate:
24        message: "ingress-nginx allow-snippet-annotations must be set to false"
25        pattern:
26          =(data):
27            =(allow-snippet-annotations) : "false"
28    - name: check-ingress-annotations
29      match:
30        resources:
31          kinds:
32            - Ingress      
33      validate:
34        message: "ingress-nginx custom snippets are not allowed"
35        pattern:
36          metadata:
37            =(annotations):
38              X(*-snippet): "?*"
39
Create policy issue