From 6e40f2286ac8fb59ba6392a9cf7c2ab16795e4b5 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Tue, 14 May 2024 19:19:08 -0400 Subject: [PATCH 01/11] add policies Signed-off-by: Boris 'B' Kurktchiev --- .../block-proc-self-cve-2024-21626.yaml | 31 ++++++++++++ ...ock-proc-self-mounting-cve-2024-21626.yaml | 49 +++++++++++++++++++ ...eck-container-run-time-cve-2024-21626.yaml | 34 +++++++++++++ ...roc-self-fd-workingdir-cve-2024-21626.yaml | 24 +++++++++ 4 files changed, 138 insertions(+) create mode 100644 other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml create mode 100644 other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml create mode 100644 other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml create mode 100644 other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml diff --git a/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml b/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml new file mode 100644 index 000000000..4931df3e2 --- /dev/null +++ b/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-proc-self-cve-2024-21626 +spec: + validationFailureAction: Audit + rules: + - name: container-exec-block-proc-self + match: + any: + - resources: + kinds: + - Pod/exec + - Pod + validate: + message: "Pod {{ request.object.metadata.namespace }}/{{ request.object.metadata.name }} cannot use /proc/self/cwd, CVE-2024-21626" + deny: + conditions: + any: + - key: "{{ request.object.spec.containers[].args[] | contains(@, '/proc/self/cwd') }}" + operator: Equals + value: true + - key: "{{ request.object.spec.initContainers[].args[] | contains(@, '/proc/self/cwd') }}" + operator: Equals + value: true + - key: "{{ request.object.spec.ephemeralContainers[].args[] | contains(@, '/proc/self/cwd') }}" + operator: Equals + value: true + - key: "{{ request.object.command | contains(@, '/proc/self/cwd') }}" + operator: Equals + value: true diff --git a/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml b/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml new file mode 100644 index 000000000..8b41da122 --- /dev/null +++ b/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml @@ -0,0 +1,49 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-proc-self-mounting-cve-2024-21626 +spec: + validationFailureAction: Enforce + rules: + - name: no-proc-self-images + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Pod {{ request.object.metadata.namespace }}/{{ request.object.metadata.name }} with images having /proc/self/fd/ in their layers are not allowed CVE-2024-21626." + foreach: + - list: "request.object.spec.containers" + context: + - name: imageData + imageRegistry: + reference: "{{ element.image }}" + deny: + conditions: + any: + - key: "{{ imageData.configData.history[].created_by | contains(@, '/proc/self/fd/') }}" + operator: Equals + value: true + - list: "request.object.spec.initContainers" + context: + - name: imageData + imageRegistry: + reference: "{{ element.image }}" + deny: + conditions: + any: + - key: "{{ imageData.configData.history[].created_by | contains(@, '/proc/self/fd/') }}" + operator: Equals + value: true + - list: "request.object.spec.ephemeralContainers" + context: + - name: imageData + imageRegistry: + reference: "{{ element.image }}" + deny: + conditions: + any: + - key: "{{ imageData.configData.history[].created_by | contains(@, '/proc/self/fd/') }}" + operator: Equals + value: true diff --git a/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml b/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml new file mode 100644 index 000000000..1498952fb --- /dev/null +++ b/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-container-run-time-cve-2024-21626 +spec: + validationFailureAction: audit + background: true + rules: + - name: container-run-time-version-outdated + match: + any: + - resources: + kinds: + - Node + context: + - name: cr_version + variable: + jmesPath: split(request.object.status.nodeInfo.containerRuntimeVersion, '://')[1] + - name: cr_runtime + variable: + jmesPath: split(request.object.status.nodeInfo.containerRuntimeVersion, '://')[0] + validate: + message: "Your container runtime is vulnerable to CVE-2024-21626 & CVE-2024-23651: {{cr_runtime}}:{{cr_version}}" + deny: + conditions: + any: + - key: |- + {{ cr_runtime == 'containerd' && semver_compare(cr_version, '<= 1.6.27') || false }} + operator: Equals + value: true + - key: |- + {{ cr_runtime == 'runc' && semver_compare(cr_version, '<= 1.1.11') || false }} + operator: Equals + value: true diff --git a/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml new file mode 100644 index 000000000..f26d16a7a --- /dev/null +++ b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-proc-self-fd-workingdir-cve-2024-21626 +spec: + validationFailureAction: Audit + background: true + rules: + - name: no-proc-self-fd-images + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Using /proc/self/fd in workingDir is not allowed CVE-2024-21626." + pattern: + spec: + containers: + - =(workingDir): "!/proc/self/fd*" + initContainers: + - =(workingDir): "!/proc/self/fd*" + ephemeralContainers: + - =(workingDir): "!/proc/self/fd*" From 83b5c89ecb2d9976c121f76b0522bfe8de22c546 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Tue, 11 Jun 2024 10:43:47 -0600 Subject: [PATCH 02/11] fix: correct matching Signed-off-by: Boris 'B' Kurktchiev --- ...isallow-proc-self-fd-workingdir-cve-2024-21626.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml index f26d16a7a..c8e6a8306 100644 --- a/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml +++ b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml @@ -1,9 +1,9 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-proc-self-fd-workingdir-cve-2024-21626 + name: disallow-proc-self-fd-workingdir spec: - validationFailureAction: Audit + validationFailureAction: Enforce background: true rules: - name: no-proc-self-fd-images @@ -13,12 +13,12 @@ spec: kinds: - Pod validate: - message: "Using /proc/self/fd in workingDir is not allowed CVE-2024-21626." + message: "Mounting /proc/self/fd is not allowed CVE-2024-21626." pattern: spec: containers: - =(workingDir): "!/proc/self/fd*" - initContainers: + =(initContainers): - =(workingDir): "!/proc/self/fd*" - ephemeralContainers: + =(ephemeralContainers): - =(workingDir): "!/proc/self/fd*" From 5cebaf0b5aba85d8b6094ea2d2d771596223a5e1 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Tue, 11 Jun 2024 11:24:49 -0600 Subject: [PATCH 03/11] Update block-proc-self-cve-2024-21626.yaml fix: unsure that it is a fix yet still testing Signed-off-by: Boris 'B' Kurktchiev --- .../block-proc-self-cve-2024-21626.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml b/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml index 4931df3e2..75dab0700 100644 --- a/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml +++ b/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml @@ -4,6 +4,7 @@ metadata: name: block-proc-self-cve-2024-21626 spec: validationFailureAction: Audit + background: false rules: - name: container-exec-block-proc-self match: @@ -11,7 +12,6 @@ spec: - resources: kinds: - Pod/exec - - Pod validate: message: "Pod {{ request.object.metadata.namespace }}/{{ request.object.metadata.name }} cannot use /proc/self/cwd, CVE-2024-21626" deny: From d0e3a467039913502cc1f6c2a05d10457981e1e8 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 12:28:06 -0400 Subject: [PATCH 04/11] add artifacthub updates Signed-off-by: Boris 'B' Kurktchiev --- .../artifacthub-pkg.yml | 18 ++++++++++++++++++ .../block-proc-self-cve-2024-21626.yaml | 8 ++++++++ .../artifacthub-pkg.yml | 18 ++++++++++++++++++ ...lock-proc-self-mounting-cve-2024-21626.yaml | 8 ++++++++ .../artifacthub-pkg.yml | 18 ++++++++++++++++++ ...heck-container-run-time-cve-2024-21626.yaml | 8 ++++++++ .../artifacthub-pkg.yml | 18 ++++++++++++++++++ ...proc-self-fd-workingdir-cve-2024-21626.yaml | 11 ++++++++++- 8 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml create mode 100644 other/block-proc-self-mounting-cve-2024-21626/artifacthub-pkg.yml create mode 100644 other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml create mode 100644 other/disallow-proc-self-fd-workingdir-cve-2024-21626/artifacthub-pkg.yml diff --git a/other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml b/other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml new file mode 100644 index 000000000..61d1f795e --- /dev/null +++ b/other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml @@ -0,0 +1,18 @@ +name: block-proc-self-cve-2024-21626 +version: 1.0.0 +displayName: Block /proc/self Usage CVE-2024-21626 +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + This policy blocks the use of /proc/self/cwd in containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626. +install: |- + \```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/security/block-proc-self-cve-2024-21626.yaml + \``` +keywords: + - kyverno + - Security +readme: | + This policy blocks the use of /proc/self/cwd in containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626. +annotations: + kyverno/category: "Security" + kyverno/subject: "Pod" diff --git a/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml b/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml index 75dab0700..ac7e0ebc4 100644 --- a/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml +++ b/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml @@ -2,6 +2,14 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: block-proc-self-cve-2024-21626 + annotations: + policies.kyverno.io/title: "Block /proc/self Usage CVE-2024-21626" + policies.kyverno.io/category: "Security" + policies.kyverno.io/severity: "high" + policies.kyverno.io/minversion: "1.11.0" + kyverno.io/kubernetes-version: "1.26" + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: "This policy blocks the use of /proc/self/cwd in containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626." spec: validationFailureAction: Audit background: false diff --git a/other/block-proc-self-mounting-cve-2024-21626/artifacthub-pkg.yml b/other/block-proc-self-mounting-cve-2024-21626/artifacthub-pkg.yml new file mode 100644 index 000000000..cccf6eae9 --- /dev/null +++ b/other/block-proc-self-mounting-cve-2024-21626/artifacthub-pkg.yml @@ -0,0 +1,18 @@ +name: block-proc-self-mounting-cve-2024-21626 +version: 1.0.0 +displayName: Block /proc/self/fd Image Layers CVE-2024-21626 +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + This policy blocks the use of container images that have /proc/self/fd/ in their layers to mitigate the risk associated with CVE-2024-21626. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml + ``` +keywords: + - kyverno + - Security +readme: | + This policy blocks the use of container images that have /proc/self/fd/ in their layers to mitigate the risk associated with CVE-2024-21626. +annotations: + kyverno/category: "Security" + kyverno/subject: "Pod" diff --git a/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml b/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml index 8b41da122..1d3569134 100644 --- a/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml +++ b/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml @@ -2,6 +2,14 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: block-proc-self-mounting-cve-2024-21626 + annotations: + policies.kyverno.io/title: "Block /proc/self/fd Image Layers CVE-2024-21626" + policies.kyverno.io/category: "Security" + policies.kyverno.io/severity: "high" + policies.kyverno.io/minversion: "1.11.0" + kyverno.io/kubernetes-version: "1.27" + policies.kyverno.io/subject: "Pod" + policies.kyverno.io/description: "This policy blocks the use of container images that have /proc/self/fd/ in their layers to mitigate the risk associated with CVE-2024-21626." spec: validationFailureAction: Enforce rules: diff --git a/other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml b/other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml new file mode 100644 index 000000000..c619e8a33 --- /dev/null +++ b/other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml @@ -0,0 +1,18 @@ +name: check-container-run-time-cve-2024-21626 +version: 1.0.0 +displayName: Check Container Runtime for CVE-2024-21626 +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + This policy checks for outdated container runtime versions that are vulnerable to CVE-2024-21626 and CVE-2024-23651. +install: |- + \```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml + \``` +keywords: + - kyverno + - Security +readme: | + This policy checks for outdated container runtime versions that are vulnerable to CVE-2024-21626 and CVE-2024-23651. +annotations: + kyverno/category: "Security" + kyverno/subject: "Node" diff --git a/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml b/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml index 1498952fb..095a98d72 100644 --- a/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml +++ b/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml @@ -2,6 +2,14 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: check-container-run-time-cve-2024-21626 + annotations: + policies.kyverno.io/title: "Check Container Runtime for CVE-2024-21626" + policies.kyverno.io/category: "Security" + policies.kyverno.io/severity: "high" + policies.kyverno.io/minversion: "1.11.0" + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/subject: "Node" + policies.kyverno.io/description: "This policy checks for outdated container runtime versions that are vulnerable to CVE-2024-21626 and CVE-2024-23651." spec: validationFailureAction: audit background: true diff --git a/other/disallow-proc-self-fd-workingdir-cve-2024-21626/artifacthub-pkg.yml b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/artifacthub-pkg.yml new file mode 100644 index 000000000..9a28de831 --- /dev/null +++ b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/artifacthub-pkg.yml @@ -0,0 +1,18 @@ +name: disallow-proc-self-fd-workingdir +version: 1.0.0 +displayName: Disallow mounting /proc/self in working directory +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + This policy prevents mounting /proc/self/fd in the working directory of containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/disallow-localhost-services/disallow-localhost-services.yaml + ``` +keywords: + - kyverno + - Security +readme: | + This policy prevents mounting /proc/self/fd in the working directory of containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626. +annotations: + kyverno/category: "Security" + kyverno/subject: "Pod" diff --git a/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml index c8e6a8306..4a2dc4539 100644 --- a/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml +++ b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml @@ -2,8 +2,17 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: disallow-proc-self-fd-workingdir + annotations: + policies.kyverno.io/title: Disallow /proc/self/fd Mounting + policies.kyverno.io/category: Security + policies.kyverno.io/severity: high + policies.kyverno.io/subject: Pod, Working Directory + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: 1.22-1.23 + policies.kyverno.io/description: This policy prevents mounting /proc/self/fd in the working directory of containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626. spec: - validationFailureAction: Enforce + validationFailureAction: Audit background: true rules: - name: no-proc-self-fd-images From 0b6cdbdd0796cfe5c3a383c37c665fc5881bc736 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 14:38:20 -0400 Subject: [PATCH 05/11] convert to audit mode Signed-off-by: Boris 'B' Kurktchiev --- .../block-proc-self-mounting-cve-2024-21626.yaml | 2 +- .../check-container-run-time-cve-2024-21626.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml b/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml index 1d3569134..15c421bff 100644 --- a/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml +++ b/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml @@ -11,7 +11,7 @@ metadata: policies.kyverno.io/subject: "Pod" policies.kyverno.io/description: "This policy blocks the use of container images that have /proc/self/fd/ in their layers to mitigate the risk associated with CVE-2024-21626." spec: - validationFailureAction: Enforce + validationFailureAction: Audit rules: - name: no-proc-self-images match: diff --git a/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml b/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml index 095a98d72..ed6d28831 100644 --- a/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml +++ b/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml @@ -11,7 +11,7 @@ metadata: policies.kyverno.io/subject: "Node" policies.kyverno.io/description: "This policy checks for outdated container runtime versions that are vulnerable to CVE-2024-21626 and CVE-2024-23651." spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: container-run-time-version-outdated From bf066b96a03212ffc35d60afc55f1c19eda63488 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 15:39:13 -0400 Subject: [PATCH 06/11] adding for node detection. Note that since the second test is checking the layers of an image, I dont think I can provide a test object since it is checking the specific layers searching for the usage of a specific attack and supplying a bad image seems like the wrong thing to do here for a test Signed-off-by: Boris 'B' Kurktchiev --- .../.kyverno-test/bad-node.yaml | 7 +++++++ .../.kyverno-test/good-node.yaml | 7 +++++++ 2 files changed, 14 insertions(+) create mode 100644 other/check-container-run-time-cve-2024-21626/.kyverno-test/bad-node.yaml create mode 100644 other/check-container-run-time-cve-2024-21626/.kyverno-test/good-node.yaml diff --git a/other/check-container-run-time-cve-2024-21626/.kyverno-test/bad-node.yaml b/other/check-container-run-time-cve-2024-21626/.kyverno-test/bad-node.yaml new file mode 100644 index 000000000..e67bfcf5e --- /dev/null +++ b/other/check-container-run-time-cve-2024-21626/.kyverno-test/bad-node.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Node +metadata: + name: bad-node +status: + nodeInfo: + containerRuntimeVersion: containerd://1.6.27 diff --git a/other/check-container-run-time-cve-2024-21626/.kyverno-test/good-node.yaml b/other/check-container-run-time-cve-2024-21626/.kyverno-test/good-node.yaml new file mode 100644 index 000000000..226c09d19 --- /dev/null +++ b/other/check-container-run-time-cve-2024-21626/.kyverno-test/good-node.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Node +metadata: + name: good-node +status: + nodeInfo: + containerRuntimeVersion: containerd://1.6.28 From 2bf3b7ceb9fff0cb29bfc12cfbd377168eaa3343 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 17:07:16 -0400 Subject: [PATCH 07/11] add annotations Signed-off-by: Boris 'B' Kurktchiev --- .../block-proc-self-mounting-cve-2024-21626.yaml | 2 +- .../check-container-run-time-cve-2024-21626.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml b/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml index 15c421bff..7cc1f91d7 100644 --- a/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml +++ b/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml @@ -6,7 +6,7 @@ metadata: policies.kyverno.io/title: "Block /proc/self/fd Image Layers CVE-2024-21626" policies.kyverno.io/category: "Security" policies.kyverno.io/severity: "high" - policies.kyverno.io/minversion: "1.11.0" + kyverno.io/kyverno-version: "1.11.0" kyverno.io/kubernetes-version: "1.27" policies.kyverno.io/subject: "Pod" policies.kyverno.io/description: "This policy blocks the use of container images that have /proc/self/fd/ in their layers to mitigate the risk associated with CVE-2024-21626." diff --git a/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml b/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml index ed6d28831..4ed44fe83 100644 --- a/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml +++ b/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml @@ -6,8 +6,8 @@ metadata: policies.kyverno.io/title: "Check Container Runtime for CVE-2024-21626" policies.kyverno.io/category: "Security" policies.kyverno.io/severity: "high" - policies.kyverno.io/minversion: "1.11.0" - kyverno.io/kubernetes-version: "1.26-1.27" + kyverno.io/kyverno-version: "1.11.0" + kyverno.io/kubernetes-version: "1.27" policies.kyverno.io/subject: "Node" policies.kyverno.io/description: "This policy checks for outdated container runtime versions that are vulnerable to CVE-2024-21626 and CVE-2024-23651." spec: From a208dd1768bc77326217a665b66119a4332fea00 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Wed, 31 Jul 2024 10:27:52 -0400 Subject: [PATCH 08/11] update annotations Signed-off-by: Boris 'B' Kurktchiev --- ...block-proc-self-mounting-cve-2024-21626.yaml | 17 ++++++++++------- ...check-container-run-time-cve-2024-21626.yaml | 17 ++++++++++------- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml b/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml index 7cc1f91d7..4f06c5315 100644 --- a/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml +++ b/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml @@ -3,13 +3,16 @@ kind: ClusterPolicy metadata: name: block-proc-self-mounting-cve-2024-21626 annotations: - policies.kyverno.io/title: "Block /proc/self/fd Image Layers CVE-2024-21626" - policies.kyverno.io/category: "Security" - policies.kyverno.io/severity: "high" - kyverno.io/kyverno-version: "1.11.0" - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/subject: "Pod" - policies.kyverno.io/description: "This policy blocks the use of container images that have /proc/self/fd/ in their layers to mitigate the risk associated with CVE-2024-21626." + policies.kyverno.io/title: Block /proc/self/fd Image Layers CVE-2024-21626 + policies.kyverno.io/category: Security + policies.kyverno.io/severity: high + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: 1.27 + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + This policy blocks the use of container images that have /proc/self/fd/ in their layers to mitigate the risk associated with CVE-2024-21626. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ spec: validationFailureAction: Audit rules: diff --git a/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml b/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml index 4ed44fe83..aa274f3ff 100644 --- a/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml +++ b/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml @@ -3,13 +3,16 @@ kind: ClusterPolicy metadata: name: check-container-run-time-cve-2024-21626 annotations: - policies.kyverno.io/title: "Check Container Runtime for CVE-2024-21626" - policies.kyverno.io/category: "Security" - policies.kyverno.io/severity: "high" - kyverno.io/kyverno-version: "1.11.0" - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/subject: "Node" - policies.kyverno.io/description: "This policy checks for outdated container runtime versions that are vulnerable to CVE-2024-21626 and CVE-2024-23651." + policies.kyverno.io/title: Check Container Runtime for CVE-2024-21626 + policies.kyverno.io/category: Security + policies.kyverno.io/severity: high + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: 1.27 + policies.kyverno.io/subject: Node + policies.kyverno.io/description: >- + This policy checks for outdated container runtime versions that are vulnerable to CVE-2024-21626 and CVE-2024-23651. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ spec: validationFailureAction: Audit background: true From 0f44a714ec8a2d4b470a0b609736ea7e7fc415a4 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Wed, 31 Jul 2024 12:42:08 -0400 Subject: [PATCH 09/11] update annotations Signed-off-by: Boris 'B' Kurktchiev --- .../artifacthub-pkg.yml | 4 ++-- .../block-proc-self-cve-2024-21626.yaml | 17 ++++++++++------- .../artifacthub-pkg.yml | 4 ++-- ...-proc-self-fd-workingdir-cve-2024-21626.yaml | 7 +++++-- 4 files changed, 19 insertions(+), 13 deletions(-) diff --git a/other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml b/other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml index 61d1f795e..1994fd7b9 100644 --- a/other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml +++ b/other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml @@ -5,9 +5,9 @@ createdAt: "2023-04-10T20:30:03.000Z" description: >- This policy blocks the use of /proc/self/cwd in containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626. install: |- - \```shell + ```shell kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/security/block-proc-self-cve-2024-21626.yaml - \``` + ``` keywords: - kyverno - Security diff --git a/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml b/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml index ac7e0ebc4..009ae1169 100644 --- a/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml +++ b/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml @@ -3,13 +3,16 @@ kind: ClusterPolicy metadata: name: block-proc-self-cve-2024-21626 annotations: - policies.kyverno.io/title: "Block /proc/self Usage CVE-2024-21626" - policies.kyverno.io/category: "Security" - policies.kyverno.io/severity: "high" - policies.kyverno.io/minversion: "1.11.0" - kyverno.io/kubernetes-version: "1.26" - policies.kyverno.io/subject: "Pod" - policies.kyverno.io/description: "This policy blocks the use of /proc/self/cwd in containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626." + policies.kyverno.io/title: Block /proc/self Usage CVE-2024-21626 + policies.kyverno.io/category: Security + policies.kyverno.io/severity: high + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: 1.26 + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + This policy blocks the use of /proc/self/cwd in containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ spec: validationFailureAction: Audit background: false diff --git a/other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml b/other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml index c619e8a33..890f36b38 100644 --- a/other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml +++ b/other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml @@ -5,9 +5,9 @@ createdAt: "2023-04-10T20:30:03.000Z" description: >- This policy checks for outdated container runtime versions that are vulnerable to CVE-2024-21626 and CVE-2024-23651. install: |- - \```shell + ```shell kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml - \``` + ``` keywords: - kyverno - Security diff --git a/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml index 4a2dc4539..4bd7a87f5 100644 --- a/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml +++ b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml @@ -6,11 +6,14 @@ metadata: policies.kyverno.io/title: Disallow /proc/self/fd Mounting policies.kyverno.io/category: Security policies.kyverno.io/severity: high - policies.kyverno.io/subject: Pod, Working Directory + policies.kyverno.io/subject: Pod policies.kyverno.io/minversion: 1.6.0 kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: 1.22-1.23 - policies.kyverno.io/description: This policy prevents mounting /proc/self/fd in the working directory of containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626. + policies.kyverno.io/description: >- + This policy prevents mounting /proc/self/fd in the working directory of containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ spec: validationFailureAction: Audit background: true From c1989ffdd29ff5c21f554803dc46d4abbfde3f88 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Wed, 31 Jul 2024 13:02:11 -0400 Subject: [PATCH 10/11] update digest Signed-off-by: Boris 'B' Kurktchiev --- .../artifacthub-pkg.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/other/disallow-proc-self-fd-workingdir-cve-2024-21626/artifacthub-pkg.yml b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/artifacthub-pkg.yml index 9a28de831..62b0758f4 100644 --- a/other/disallow-proc-self-fd-workingdir-cve-2024-21626/artifacthub-pkg.yml +++ b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/artifacthub-pkg.yml @@ -16,3 +16,4 @@ readme: | annotations: kyverno/category: "Security" kyverno/subject: "Pod" +digest: a56ce2540998ca8dea0af5aacf54657f50e8858984c946bb1e0d77e51508d395 From 6a8a78502d11c86e0654cbd74e9e0aea6ddd5edc Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Wed, 31 Jul 2024 13:46:39 -0400 Subject: [PATCH 11/11] add digests Signed-off-by: Boris 'B' Kurktchiev --- other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml | 1 + .../block-proc-self-mounting-cve-2024-21626/artifacthub-pkg.yml | 1 + .../check-container-run-time-cve-2024-21626/artifacthub-pkg.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml b/other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml index 1994fd7b9..413fa1e59 100644 --- a/other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml +++ b/other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml @@ -16,3 +16,4 @@ readme: | annotations: kyverno/category: "Security" kyverno/subject: "Pod" +digest: cddd7183145097fdbcae9d24bcada421a353ab4a64479b191112c1d03c73a249 diff --git a/other/block-proc-self-mounting-cve-2024-21626/artifacthub-pkg.yml b/other/block-proc-self-mounting-cve-2024-21626/artifacthub-pkg.yml index cccf6eae9..c2567c09b 100644 --- a/other/block-proc-self-mounting-cve-2024-21626/artifacthub-pkg.yml +++ b/other/block-proc-self-mounting-cve-2024-21626/artifacthub-pkg.yml @@ -16,3 +16,4 @@ readme: | annotations: kyverno/category: "Security" kyverno/subject: "Pod" +digest: 318dc86c41623c157282c9e384ea6327c815bbd8e1a8fad443ac4f28884cb033 diff --git a/other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml b/other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml index 890f36b38..7f04306e8 100644 --- a/other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml +++ b/other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml @@ -16,3 +16,4 @@ readme: | annotations: kyverno/category: "Security" kyverno/subject: "Node" +digest: 1ed452b28eca0407c08e187085aefeaf653a8d6b14897c37c25a50b456d761bc