Prevent CVE-2023-5043 and CVE-2023-5044

other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno-test/bad-ingress-2.yaml

@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bad-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "Server: myserver";
+spec:
+  rules:
+  - host: myapp.example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: myapp-service
+            port:
+              number: 80

other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno-test/bad-ingress.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bad-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/permanent-redirect: https://example.com
+spec:
+  rules:
+  - host: myapp.example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: myapp-service
+            port:
+              number: 80

other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/.kyverno-test/good-ingress.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: good-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  rules:
+  - host: myapp.example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: myapp-service
+            port:
+              number: 80

other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/artifacthub-pkg.yml

@@ -0,0 +1,19 @@
+name: block-nginx-annotations-cve-2023-5043-cve-2023-5044
+version: 1.0.0
+displayName: Restrict Nginx Annotations
+createdAt: "2023-04-10T20:30:03.000Z"
+description: >-
+  Prevent the nginx-related CVE-2023-5043 and CVE-2023-5044 by blocking configuration-snippet and permanent-redirect annotations.
+install: |-
+  \```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml
+  \```
+keywords:
+  - kyverno
+  - Security
+readme: |
+  This policy prevents the nginx-related CVE-2023-5043 and CVE-2023-5044 by blocking configuration-snippet and permanent-redirect annotations.
+annotations:
+  kyverno/category: "Security"
+  kyverno/subject: "Ingress"
+digest: acd909244a7e263b59b96cdc5a8723de7d206dee298d363097b1b1a122f85412

other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-nginx-annotations-cve-2023-5043-cve-2023-5044
+  annotations:
+    policies.kyverno.io/title: Restrict Nginx Annotations
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/severity: high
+    kyverno.io/kyverno-version: 1.11.0
+    kyverno.io/kubernetes-version: 1.27
+    policies.kyverno.io/subject: Ingress
+    policies.kyverno.io/description: >-
+      Prevent the nginx-related CVE-2023-5043 and CVE-2023-5044 by blocking configuration-snippet and permanent-redirect.
+
+      Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: block-nginx-annotations-cve-2023-5043-cve-2023-5044
+    match:
+      any:
+      - resources:
+          kinds:
+          - Ingress
+    validate:
+      message: Cannot use nginx.ingress.kubernetes.io annotations for configuration-snippet or permanent-redirect, remediating CVE-2023-5043 and CVE-2023-5044
+      pattern:
+        metadata:
+          =(annotations):
+            X(nginx.ingress.kubernetes.io/configuration-snippet): "*" # CVE-2023-5043
+            X(nginx.ingress.kubernetes.io/permanent-redirect): "*" # CVE-2023-5044