From 663067d3e2e926955397c077937757b870d6d7d0 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Thu, 16 May 2024 09:33:58 -0400 Subject: [PATCH 1/7] Prevent CVE-2023-5043 and CVE-2023-5044 Signed-off-by: Boris 'B' Kurktchiev --- ...notations-cve-2023-5043-cve-2023-5044.yaml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml diff --git a/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml new file mode 100644 index 000000000..f54b9949b --- /dev/null +++ b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-nginx-annotations-cve-2023-5043-cve-2023-5044 + annotations: + policies.kyverno.io/title: Restrict Nginx Annotations + policies.kyverno.io/description: >- + Prevent the nginx-related CVE-2023-5043 and CVE-2023-5044 by blocking configuration-snippet and permanent-redirect + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: true + rules: + - name: block-nginx-annotations-cve-2023-5043-cve-2023-5044 + match: + any: + - resources: + kinds: + - Ingress + validate: + message: Cannot use nginx.ingress.kubernetes.io annotations for configuration-snippet or permanent-redirect, remediating CVE-2023-5043 and CVE-2023-5044 + pattern: + metadata: + =(annotations): + X(nginx.ingress.kubernetes.io/configuration-snippet): "*" # CVE-2023-5043 + X(nginx.ingress.kubernetes.io/permanent-redirect): "*" # CVE-2023-5044 From e67d5fba6de27c7608219db8c13f28c8a86479bb Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 12:30:36 -0400 Subject: [PATCH 2/7] add artifacthub Signed-off-by: Boris 'B' Kurktchiev --- .../artifacthub-pkg.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/artifacthub-pkg.yml diff --git a/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/artifacthub-pkg.yml b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/artifacthub-pkg.yml new file mode 100644 index 000000000..36060a4b6 --- /dev/null +++ b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/artifacthub-pkg.yml @@ -0,0 +1,18 @@ +name: block-nginx-annotations-cve-2023-5043-cve-2023-5044 +version: 1.0.0 +displayName: Restrict Nginx Annotations +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + Prevent the nginx-related CVE-2023-5043 and CVE-2023-5044 by blocking configuration-snippet and permanent-redirect annotations. +install: |- + \```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml + \``` +keywords: + - kyverno + - Security +readme: | + This policy prevents the nginx-related CVE-2023-5043 and CVE-2023-5044 by blocking configuration-snippet and permanent-redirect annotations. +annotations: + kyverno/category: "Security" + kyverno/subject: "Ingress" From 7fb55fda36cf3d1e4c7309096a88d6f4a5d76330 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 15:32:17 -0400 Subject: [PATCH 3/7] start adding in kube objects for testing Signed-off-by: Boris 'B' Kurktchiev --- .../.kyverno/bad-ingress-2.yaml | 19 +++++++++++++++++++ .../.kyverno/bad-ingress.yaml | 18 ++++++++++++++++++ .../.kyverno/good-ingress.yaml | 18 ++++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/bad-ingress-2.yaml create mode 100644 other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/bad-ingress.yaml create mode 100644 other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/good-ingress.yaml diff --git a/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/bad-ingress-2.yaml b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/bad-ingress-2.yaml new file mode 100644 index 000000000..29a16f316 --- /dev/null +++ b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/bad-ingress-2.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: bad-ingress + annotations: + nginx.ingress.kubernetes.io/configuration-snippet: | + more_set_headers "Server: myserver"; +spec: + rules: + - host: myapp.example.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: myapp-service + port: + number: 80 diff --git a/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/bad-ingress.yaml b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/bad-ingress.yaml new file mode 100644 index 000000000..07da8c711 --- /dev/null +++ b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/bad-ingress.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: bad-ingress + annotations: + nginx.ingress.kubernetes.io/permanent-redirect: https://example.com +spec: + rules: + - host: myapp.example.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: myapp-service + port: + number: 80 diff --git a/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/good-ingress.yaml b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/good-ingress.yaml new file mode 100644 index 000000000..14104caac --- /dev/null +++ b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/good-ingress.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: good-ingress + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / +spec: + rules: + - host: myapp.example.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: myapp-service + port: + number: 80 From c030131ed6d92b998d5a58003da2b75db2afdd25 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 17:08:26 -0400 Subject: [PATCH 4/7] add annotations Signed-off-by: Boris 'B' Kurktchiev --- ...lock-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml index f54b9949b..8eefa05d5 100644 --- a/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml +++ b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml @@ -4,9 +4,14 @@ metadata: name: block-nginx-annotations-cve-2023-5043-cve-2023-5044 annotations: policies.kyverno.io/title: Restrict Nginx Annotations + policies.kyverno.io/category: "Security" + policies.kyverno.io/severity: "high" + kyverno.io/kyverno-version: "1.11.0" + kyverno.io/kubernetes-version: "1.27" + policies.kyverno.io/subject: "Ingress" policies.kyverno.io/description: >- Prevent the nginx-related CVE-2023-5043 and CVE-2023-5044 by blocking configuration-snippet and permanent-redirect - pod-policies.kyverno.io/autogen-controllers: none + spec: validationFailureAction: Audit background: true From dd72225283d881a465f1e4d6518dbd665cbed676 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Tue, 30 Jul 2024 10:59:55 -0400 Subject: [PATCH 5/7] name the dir properly Signed-off-by: Boris 'B' Kurktchiev --- .../{.kyverno => .kyverno-test}/bad-ingress-2.yaml | 0 .../{.kyverno => .kyverno-test}/bad-ingress.yaml | 0 .../{.kyverno => .kyverno-test}/good-ingress.yaml | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/{.kyverno => .kyverno-test}/bad-ingress-2.yaml (100%) rename other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/{.kyverno => .kyverno-test}/bad-ingress.yaml (100%) rename other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/{.kyverno => .kyverno-test}/good-ingress.yaml (100%) diff --git a/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/bad-ingress-2.yaml b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno-test/bad-ingress-2.yaml similarity index 100% rename from other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/bad-ingress-2.yaml rename to other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno-test/bad-ingress-2.yaml diff --git a/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/bad-ingress.yaml b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno-test/bad-ingress.yaml similarity index 100% rename from other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/bad-ingress.yaml rename to other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno-test/bad-ingress.yaml diff --git a/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/good-ingress.yaml b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno-test/good-ingress.yaml similarity index 100% rename from other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno/good-ingress.yaml rename to other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno-test/good-ingress.yaml From 8e239bb4c9a97a0f0903ef1a4d296c3f441c39d2 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Wed, 31 Jul 2024 10:24:30 -0400 Subject: [PATCH 6/7] update annotations Signed-off-by: Boris 'B' Kurktchiev --- ...inx-annotations-cve-2023-5043-cve-2023-5044.yaml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml index 8eefa05d5..ff2dc3fc2 100644 --- a/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml +++ b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml @@ -4,14 +4,15 @@ metadata: name: block-nginx-annotations-cve-2023-5043-cve-2023-5044 annotations: policies.kyverno.io/title: Restrict Nginx Annotations - policies.kyverno.io/category: "Security" - policies.kyverno.io/severity: "high" - kyverno.io/kyverno-version: "1.11.0" - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/subject: "Ingress" + policies.kyverno.io/category: Security + policies.kyverno.io/severity: high + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: 1.27 + policies.kyverno.io/subject: Ingress policies.kyverno.io/description: >- - Prevent the nginx-related CVE-2023-5043 and CVE-2023-5044 by blocking configuration-snippet and permanent-redirect + Prevent the nginx-related CVE-2023-5043 and CVE-2023-5044 by blocking configuration-snippet and permanent-redirect. + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ spec: validationFailureAction: Audit background: true From 75bc1dffe5b8abea0c9c8590443591f52d9a2e64 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Wed, 31 Jul 2024 13:49:34 -0400 Subject: [PATCH 7/7] add digest Signed-off-by: Boris 'B' Kurktchiev --- .../artifacthub-pkg.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/artifacthub-pkg.yml b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/artifacthub-pkg.yml index 36060a4b6..a720e6ff4 100644 --- a/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/artifacthub-pkg.yml +++ b/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/artifacthub-pkg.yml @@ -16,3 +16,4 @@ readme: | annotations: kyverno/category: "Security" kyverno/subject: "Ingress" +digest: acd909244a7e263b59b96cdc5a8723de7d206dee298d363097b1b1a122f85412