On October 21st, 2021, a CVE with respect to ingress-nginx was released by the Kubernetes Security Team where an attacker who can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster
This issue affects clusters that are configured for multi-tenancy with non-root users who have access to configure ingress-objects. They can use the custom snippets feature in the ingress-object to obtain all secrets in the cluster.
Details
Here are the details on the CVE-2021-25742: A user with privilege to create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. This issue has been rated High and it is recommended to make sure that Kubernetes clusters with ingress-nginx enabled are not exposed with it.
Resolution
This issue cannot be fixed only by upgrading the ingress-nginx. After upgrading ingress-nginx to a version that allows mitigation (>= v0.49.1 or >= v1.0.1), edit the ConfigMap to set the allow-snippet-annotations to false in your ingress-nginx ConfigMap
data:
allow-snippet-annotations: “false”Recommended Mitigation with Kyverno
One simple approach to solving this issue is to use Kyverno, an open-source Kubernetes native policy engine. Kyverno is a Kubernetes native policy engine that can validate, mutate and generate configuration and resources based on conditions. Kyverno’s admission control webhook can execute a simple policy that disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress
Here is a two-step process to implement the fix with Kyverno:
Step-1: Deploy Kyverno in your cluster. Instructions available here.
Step-2: Add a policy to disable allow-snippet-annotations using a yaml based policy as shown below:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-ingress-nginx-custom-snippets
annotations:
policies.kyverno.io/title: Disallow Custom Snippets
policies.kyverno.io/category: Best Practice
policies.kyverno.io/subject: ConfigMap, Ingress
policies.kyverno.io/minversion: 1.4.3
policies.kyverno.io/description: >-
Users that can create or update ingress objects can use the custom snippets
feature to obtain all secrets in the cluster (CVE-2021-25742). This policy
disables allow-snippet-annotations in the ingress-nginx configuration and
blocks *-snippet annotations on an Ingress.
See: https://github.com/kubernetes/ingress-nginx/issues/7837
spec:
validationFailureAction: enforce
rules:
- name: check-config-map
message: "ingress-nginx allow-snippet-annotations must be set to false"
match:
resources:
kinds:
- ConfigMap
validate:
pattern:
=(data):
=(allow-snippet-annotations) : "false"
- name: check-ingress-annotations
message: "ingress-nginx custom snippets are not allowed"
match:
resources:
kinds:
- Ingress
validate:
pattern:
metadata:
=(annotations):
X(*-snippets): "?*"This policy can further be enhanced to match configMaps or ingress with certain labels. If your organization policy requires labels for each application you deploy then you can update this policy to match the resources with certain labels:
- name: check-config-map
match:
resources:
kinds:
- ConfigMap
preconditions:
- key: "{{ request.object.metadata.labels.application }}"
operator: Equal
value: "nginx"
validate:
message: "ingress-nginx allow-snippet-annotations must be set to false"
pattern:
=(data):
=(allow-snippet-annotations) : "false"The above rule matches any configMap that has a label with key as application and value as nginx. The value can also be a wild card something like “*nginx*” which applies to any value that includes nginx.
There are other sample policies available here.
For any assistance with Kyverno, please open an issue here.
Sorry, the comment form is closed at this time.