Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add nginx cve mitigation policy #182

Closed
wants to merge 3 commits into from
Closed

add nginx cve mitigation policy #182

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6f8dca0
add nginc cve mitigation policy
anusha94 Jan 7, 2025
f3d308e
Merge branch 'main' into cve-mitation
anusha94 Jan 7, 2025
b1b7c35
Merge branch 'main' into cve-mitation
anusha94 Jan 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions cve-mitigation/cve-2024-7646/.chainsaw-test/chainsaw-step-01-assert-1.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: validate-nginx-ingress-controller
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
38 changes: 38 additions & 0 deletions cve-mitigation/cve-2024-7646/.chainsaw-test/chainsaw-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: validate-nginx-ingress-controller
spec:
steps:
- name: step-01
try:
- apply:
file: ../validate-nginx-ingress-controller.yaml
- patch:
resource:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: validate-nginx-ingress-controller
spec:
validationFailureAction: Enforce
- assert:
file: chainsaw-step-01-assert-1.yaml
- name: step-02
try:
- apply:
file: pod-good.yaml
- apply:
expect:
- check:
($error != null): true
file: pod-bad.yaml
- apply:
file: podcontroller-good.yaml
- apply:
expect:
- check:
($error != null): true
file: podcontroller-bad.yaml
40 changes: 40 additions & 0 deletions cve-mitigation/cve-2024-7646/.chainsaw-test/pod-bad.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
apiVersion: v1
kind: Pod
metadata:
name: badpod01-new
annotations:
nginx.ingress.kubernetes.io/server-snippet: |
add_header X-Safe-Header "Safe Content";
add_header X-Vuln-Header "Benign\r
HTTP/1.1 200 OK
Content-Type: text/html

<script>alert('XSS');</script>
--------";
return 200 "Original Content";
spec:
containers:
- name: nginx-controller
image: registry.k8s.io/ingress-nginx/controller:v1.11.3
---
apiVersion: v1
kind: Pod
metadata:
name: badpod02-new
spec:
containers:
- name: nginx-controller
image: registry.k8s.io/ingress-nginx/controller:v1.11.1
- name: nginx-controller-1
image: registry.k8s.io/ingress-nginx/controller:v1.10.9
---
apiVersion: v1
kind: Pod
metadata:
name: badpod03-new
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "skip"
spec:
containers:
- name: nginx-controller
image: registry.k8s.io/ingress-nginx/controller:v1.11.3
10 changes: 10 additions & 0 deletions cve-mitigation/cve-2024-7646/.chainsaw-test/pod-good.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: goodpod01-new
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
spec:
containers:
- name: nginx-controller
image: registry.k8s.io/ingress-nginx/controller:v1.11.3
67 changes: 67 additions & 0 deletions cve-mitigation/cve-2024-7646/.chainsaw-test/podcontroller-bad.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: baddeployment01-new
annotations:
nginx.ingress.kubernetes.io/server-snippet: |
add_header X-Safe-Header "Safe Content";
add_header X-Vuln-Header "Benign\r
HTTP/1.1 200 OK
Content-Type: text/html

<script>alert('XSS');</script>
--------";
return 200 "Original Content";
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: nginx-controller
image: registry.k8s.io/ingress-nginx/controller:v1.11.3
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: baddeployment02-new
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: nginx-controller
image: registry.k8s.io/ingress-nginx/controller:v1.10.8
- name: nginx-controller-1
image: registry.k8s.io/ingress-nginx/controller:v1.9.8
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: baddeployment03-new
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "skip"
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: nginx-controller
image: registry.k8s.io/ingress-nginx/controller:v1.11.5
21 changes: 21 additions & 0 deletions cve-mitigation/cve-2024-7646/.chainsaw-test/podcontroller-good.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: gooddeployment01-new
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: nginx-controller
image: registry.k8s.io/ingress-nginx/controller:v1.11.3
- name: nginx-controller-1
image: registry.k8s.io/ingress-nginx/controller:v1.11.4
7 changes: 7 additions & 0 deletions cve-mitigation/cve-2024-7646/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
A new Kubernetes vulnerability, [CVE-2024-7646](https://nvd.nist.gov/vuln/detail/CVE-2024-7646), has recently been identified and demands urgent attention from security professionals and DevOps teams. This vulnerability severely threatens the security of systems using the widely adopted ingress-nginx controller, potentially allowing attackers to bypass annotation validation and gain unauthorized access to critical cluster resources.

To resolve the CVE-2024-7646 vulnerability in Kubernetes environments using ingress-nginx, it’s critical to take immediate steps:

1. Upgrade Ingress-NGINX: The most effective measure is to upgrade ingress-nginx to version 1.11.2 or higher. This version contains the necessary security patches to mitigate the vulnerability, preventing attackers from exploiting the annotation validation bypass.
1. Restrict Annotations: Explicitly disallow the nginx.ingress.kubernetes.io/server-snippet annotation to further safeguard your system. This step ensures that no unauthorized or potentially malicious configurations can be injected.
1. Enforce TLS Client Verification: Set the auth-tls-verify-client annotation to either ‘on,’ ‘off,’ ‘optional,’ or ‘optional_no_ca’ values. This enforces stricter control over TLS client authentication, reducing the attack surface by ensuring that only correctly authenticated clients can interact with your services.
68 changes: 68 additions & 0 deletions cve-mitigation/cve-2024-7646/validate-nginx-ingress-controller.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: validate-nginx-ingress-controller
annotations:
policies.kyverno.io/title: CVE-2024-7646 Nginx Ingress Controller
policies.kyverno.io/category: Mitigate CVEs
policies.kyverno.io/severity: critical
policies.kyverno.io/description: >-
A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. (Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-7646)
spec:
validationFailureAction: Enforce
background: true
rules:
- name: validate-ingress-annotations
match:
resources:
kinds:
- Ingress
validate:
message: "The annotation nginx.ingress.kubernetes.io/server-snippet is not allowed."
pattern:
metadata:
annotations:
X(*-snippet): "?*"
- name: validate-auth-tls-verify-client
match:
resources:
kinds:
- Ingress
validate:
message: "auth-tls-verify-client annotation must be one of 'on', 'off', 'optional', or 'optional_no_ca'."
deny:
conditions:
any:
- key: "{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/auth-tls-verify-client\"}}"
operator: AnyNotIn
value:
- "on"
- "off"
- "optional"
- "optional_no_ca"

- name: deny-lower-ingress-nginx-controller-versions
match:
resources:
kinds:
- Pod
validate:
message: "The ingress-nginx controller image version must be v1.11.2 or greater."
deny:
conditions:
- key: "{{ request.object.spec.containers[?(@.name=='controller')].image }}"
operator: AnyIn
value:
- "registry.k8s.io/ingress-nginx/controller:v1.11.0"
- "registry.k8s.io/ingress-nginx/controller:v1.11.1"
- "registry.k8s.io/ingress-nginx/controller:v1.10.*"
- "registry.k8s.io/ingress-nginx/controller:v1.9.*"
- "registry.k8s.io/ingress-nginx/controller:v1.8.*"
- "registry.k8s.io/ingress-nginx/controller:v1.7.*"
- "registry.k8s.io/ingress-nginx/controller:v1.6.*"
- "registry.k8s.io/ingress-nginx/controller:v1.5.*"
- "registry.k8s.io/ingress-nginx/controller:v1.4.*"
- "registry.k8s.io/ingress-nginx/controller:v1.3.*"
- "registry.k8s.io/ingress-nginx/controller:v1.2.*"
- "registry.k8s.io/ingress-nginx/controller:v1.1.*"
- "registry.k8s.io/ingress-nginx/controller:v1.0.*"
Loading