☑️ Prevent ConfigMap security vulnerability (CVE-2021-25742)
A vulnerability has been discovered in Kuberenetes where users with limited access to a Kubernetes cluster, but with the ability to create an Ingress object based on the NGINX Ingress Controller, could elevate privilege and access full cluster secrets (NVD severity of this issue: High).
More specifically, a user who can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. The allow-snippet-annotations
configuration is set to true
by default.
Targeted resources by this rule (types of kind
): ConfigMap
Enabled by default? False
Policy as code identifier: CONFIGMAP_CVE2021_25742_INCORRECT_SNIPPET_ANNOTATIONS_VALUE
This rule will fail
If the allow-snippet-annotations
configuration is not set, or set explicitly to 'true'.
kind: ConfigMap
data:
proxy-connect-timeout: "10"
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent ConfigMap security vulnerability (CVE-2021-25742) [1 occurrence]
💡 Missing property object `allow-snippet-annotations` - set it to 'false' to override default behaviour
How to fix this failure
kind: ConfigMap
data:
allow-snippet-annotations: "false"