A vulnerability has been discovered in Kuberenetes where users with limited access to a Kubernetes cluster, but with the ability to create an Ingress object based on the NGINX Ingress Controller, could elevate privilege and access full cluster secrets (NVD severity of this issue: High).
More specifically, within a server-snippet annotation, one can run “Lua” script code, which is capable of executing incredibly dangerous system-level commands.
Targeted objects by this rule (types of
Enabled by default? False
Policy as code identifier: INGRESS_CVE2021_25742_INCORRECT_SERVER_SNIPPET_KEY
This rule will fail
server-snippet annotation is used.
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent Ingress security vulnerability (CVE-2021-25742) [1 occurrence]
💡 Forbidden property object `server-snippet` - ingress-nginx custom snippets are not allowed
How to fix this failure
Refrain from using this vulnerable annotation.