☑️ Prevent ConfigMap security vulnerability (CVE-2021-25742)

A vulnerability has been discovered in Kuberenetes where users with limited access to a Kubernetes cluster, but with the ability to create an Ingress object based on the NGINX Ingress Controller, could elevate privilege and access full cluster secrets (NVD severity of this issue: High).

More specifically, a user who can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. The allow-snippet-annotations configuration is set to true by default.

Targeted resources by this rule (types of kind): ConfigMap

Enabled by default? False

Policy as code identifier: CONFIGMAP_CVE2021_25742_INCORRECT_SNIPPET_ANNOTATIONS_VALUE

This rule will fail

If the allow-snippet-annotations configuration is not set, or set explicitly to 'true'.

YAML

Rule output in the CLI

Terminal

How to fix this failure

YAML

Read more