New Kubernetes Ingress-nginx Vulnerability Alert: CVE-2021-25742

New Kubernetes Ingress-nginx Vulnerability Alert: CVE-2021-25742

On October 21st, 2021,  a CVE with respect to ingress-nginx was released by the Kubernetes Security Team where an attacker who can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster 

This issue affects clusters that are configured for multi-tenancy with non-root users who have access to configure ingress-objects. They can use the custom snippets feature in the ingress-object to obtain all secrets in the cluster.

Details

Here are the details on the CVE-2021-25742: A user with privilege to create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. This issue has been rated High and it is recommended to make sure that Kubernetes clusters with ingress-nginx enabled are not exposed with it.

Resolution

This issue cannot be fixed only by upgrading the ingress-nginx. After upgrading ingress-nginx to a version that allows mitigation (>= v0.49.1 or >= v1.0.1), edit the ConfigMap to set the allow-snippet-annotations to false in your ingress-nginx ConfigMap

data:
allow-snippet-annotations: “false”

Recommended Mitigation with Kyverno

One simple approach to solving this issue is to use Kyverno, an open-source Kubernetes native policy engine. Kyverno is a Kubernetes native policy engine that can validate, mutate and generate configuration and resources based on conditions. Kyverno’s admission control webhook  can execute a simple policy that disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress

Here is a two-step process to implement the fix with Kyverno: 

Step-1: Deploy Kyverno in your cluster. Instructions available here.

Step-2: Add a policy to disable allow-snippet-annotations using a yaml based policy as shown below:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-ingress-nginx-custom-snippets
  annotations:
    policies.kyverno.io/title: Disallow Custom Snippets
    policies.kyverno.io/category: Best Practice
    policies.kyverno.io/subject: ConfigMap, Ingress
    policies.kyverno.io/minversion: 1.4.3
    policies.kyverno.io/description: >-
      Users that can create or update ingress objects can use the custom snippets 
      feature to obtain all secrets in the cluster (CVE-2021-25742). This policy 
      disables allow-snippet-annotations in the ingress-nginx configuration and 
      blocks *-snippet annotations on an Ingress.
      See: https://github.com/kubernetes/ingress-nginx/issues/7837      
spec:
  validationFailureAction: enforce
  rules:
    - name: check-config-map
      message: "ingress-nginx allow-snippet-annotations must be set to false"
      match:
        resources:
          kinds:
            - ConfigMap      
      validate:
        pattern:
          =(data):
            =(allow-snippet-annotations) : "false"
    - name: check-ingress-annotations
      message: "ingress-nginx custom snippets are not allowed"
      match:
        resources:
          kinds:
            - Ingress      
      validate:
        pattern:
          metadata:
            =(annotations):
              X(*-snippets): "?*"

This policy can further be enhanced to match configMaps or ingress with certain labels. If your organization policy requires labels for each application you deploy then you can update this policy to match the resources with certain labels:

- name: check-config-map
      match:
        resources:
          kinds:
            - ConfigMap
      preconditions:
        - key: "{{ request.object.metadata.labels.application }}"
          operator: Equal
          value: "nginx"
      validate:
        message: "ingress-nginx allow-snippet-annotations must be set to false"
        pattern:
          =(data):
            =(allow-snippet-annotations) : "false"

The above rule matches any configMap that has a label with key as application and value as nginx. The value can also be a wild card something like “*nginx*” which applies to any value that includes nginx. 

There are other sample policies available here.

For any assistance with Kyverno, please open an issue here.

Introducing Kyverno 1.5.0: Tackling complex policies with ease! Featuring Cosign, ForEach, CLI test, and Dynamic Webhooks
No Comments

Post a Comment