☑️ Prevent Ingress security vulnerability (CVE-2021-25742)

A vulnerability has been discovered in Kuberenetes where users with limited access to a Kubernetes cluster, but with the ability to create an Ingress object based on the NGINX Ingress Controller, could elevate privilege and access full cluster secrets (NVD severity of this issue: High).

More specifically, within a server-snippet annotation, one can run “Lua” script code, which is capable of executing incredibly dangerous system-level commands.

Targeted objects by this rule (types of kind): Ingress

Complexity: medium (What does this mean?)

Policy as code identifier: INGRESS_CVE2021_25742_INCORRECT_SERVER_SNIPPET_KEY

---

This rule will fail

If the server-snippet annotation is used.

kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/server-snippet: |
      proxy_ssl_verify off;

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent Ingress security vulnerability (CVE-2021-25742) [1 occurrence]
💡 Forbidden property object `server-snippet` - ingress-nginx custom snippets are not allowed

---

How to fix this failure

Refrain from using this vulnerable annotation.

kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

---

Read more

• CVE-2021-25742: Ingress-nginx custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces

• ConfigMap - NGINX Ingress Controller