☑️ Prevent ConfigMap security vulnerability (CVE-2021-25742)

A vulnerability has been discovered in Kuberenetes where users with limited access to a Kubernetes cluster, but with the ability to create an Ingress object based on the NGINX Ingress Controller, could elevate privilege and access full cluster secrets (NVD severity of this issue: High).

More specifically, a user who can create or update NGINX ingress objects can use the custom snippets feature to obtain all secrets in the cluster. The allow-snippet-annotations configuration is set to true by default.

To affect NGINX ConfigMaps only, this rule will look for one or more of the following resource properties:

metadata.name:

• nginx-config
• nginx-conf
• ingress-nginx-controller

metadata.namespace:

• ingress-nginx
• nginx-ingress

Targeted resources by this rule (types of kind): ConfigMap

Enabled by default? False

Policy as code identifier: CONFIGMAP_CVE2021_25742_INCORRECT_SNIPPET_ANNOTATIONS_VALUE

---

This rule will fail

If the metadata.name key AND/OR the metadata.namespace key have one of the values listed above, AND the allow-snippet-annotations configuration is not set, or set explicitly to 'true'.

kind: ConfigMap
metadata:
  name: nginx-config
data:
  proxy-connect-timeout: "10"

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent ConfigMap security vulnerability (CVE-2021-25742) [1 occurrence]
💡 Missing property object `allow-snippet-annotations` - set it to 'false' to override default behaviour

---

How to fix this failure

kind: ConfigMap
metadata:
  namespace: nginx-ingress
data:
  allow-snippet-annotations: "false"

---

Read more

• CVE-2021-25742: Ingress-nginx custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces

• ConfigMap - NGINX Ingress Controller