Prevent CVE-2024-3177

other/secrets-not-from-env-vars-cve-2024-3177/.chainsaw-test/bad-pod.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: bad-pod
+  annotations:
+    kubernetes.io/enforce-mountable-secrets: "true"
+spec:
+  containers:
+  - name: my-container
+    image: nginx
+    envFrom:
+    - secretRef:
+        name: my-secret
+  initContainers:
+  - name: init-container
+    image: busybox
+    command: ["sh", "-c", "echo init"]
+    envFrom:
+    - secretRef:
+        name: init-secret
+  ephemeralContainers:
+  - name: ephemeral-container
+    image: busybox
+    command: ["sh", "-c", "echo ephemeral"]
+    envFrom:
+    - secretRef:
+        name: ephemeral-secret

other/secrets-not-from-env-vars-cve-2024-3177/.chainsaw-test/chainsaw-step-01-assert-1.yaml

@@ -0,0 +1,5 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: secrets-not-from-env-vars-cve-2024-3177
+  ready: true

other/secrets-not-from-env-vars-cve-2024-3177/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,29 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: secrets-not-from-env-vars-cve-2024-3177
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../secrets-not-from-env-vars-cve-2024-3177.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: secrets-not-from-env-vars-cve-2024-3177
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: good-pod.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: bad-pod.yaml

other/secrets-not-from-env-vars-cve-2024-3177/.chainsaw-test/good-pod.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: good-pod
+  annotations:
+    kubernetes.io/enforce-mountable-secrets: "true"
+spec:
+  containers:
+  - name: my-container
+    image: nginx
+    env:
+    - name: EXAMPLE_VAR
+      value: "example"
+  initContainers:
+  - name: init-container
+    image: busybox
+    command: ["sh", "-c", "echo init"]
+    env:
+    - name: INIT_VAR
+      value: "init"
+  ephemeralContainers:
+  - name: ephemeral-container
+    image: busybox
+    command: ["sh", "-c", "echo ephemeral"]
+    env:
+    - name: EPHEMERAL_VAR
+      value: "ephemeral"

other/secrets-not-from-env-vars-cve-2024-3177/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+name: secrets-not-from-env-vars-cve-2024-3177
+version: 1.0.0
+displayName: secrets-not-from-env-vars-cve-2024-3177
+createdAt: "2024-07-31T00:00:00.000Z"
+description: >-
+  Secrets used as environment variables containing sensitive information may, if not carefully controlled, be printed in log output which could be visible to unauthorized people and captured in forwarding applications. This policy specifically blocks CVE-2024-3177
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/secrets-not-from-env-vars-cve-2024-3177/secrets-not-from-env-vars-cve-2024-3177.yaml
+  ```
+keywords:
+  - kyverno
+  - Security
+readme: |
+  Secrets used as environment variables containing sensitive information may, if not carefully controlled, be printed in log output which could be visible to unauthorized people and captured in forwarding applications. This policy specifically blocks CVE-2024-3177.
+
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Security"
+  kyverno/kubernetesVersion: "1.27"
+  kyverno/subject: "Pod"
+digest: 220166ead57270008b045345679c51dd586f59c7ca2bad24d213c07b9549b099

other/secrets-not-from-env-vars-cve-2024-3177/secrets-not-from-env-vars-cve-2024-3177.yaml

@@ -0,0 +1,46 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: secrets-not-from-env-vars-cve-2024-3177
+  annotations:
+    policies.kyverno.io/title: Secrets not from env vars (CVE-2024-3177)
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/severity: low
+    policies.kyverno.io/subject: Pod, Secret
+    kyverno.io/kubernetes-version: 1.27
+    kyverno.io/kyverno-version: 1.11.0
+    policies.kyverno.io/description: >-
+      Secrets used as environment variables containing sensitive information may, if not carefully controlled,
+      be printed in log output which could be visible to unauthorized people and captured in forwarding
+      applications. This policy specifically blocks CVE-2024-3177
+
+      Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: secrets-not-from-envfrom-cve-2024-3177
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: "Secrets must not come from envFrom statements. CVE-2024-3177"
+      pattern:
+        metadata:
+          annotations:
+            kubernetes.io/enforce-mountable-secrets: "true"
+        spec:
+          =(ephemeralContainers):
+            - name: "*"
+              =(envFrom):
+              - X(secretRef): "null"
+          =(initContainers):
+            - name: "*"
+              =(envFrom):
+              - X(secretRef): "null"
+          containers:
+            - name: "*"
+              =(envFrom):
+              - X(secretRef): "null"