All Policies
Restrict External IPs
Service externalIPs can be used for a MITM attack (CVE-2020-8554). Restrict externalIPs or limit to a known set of addresses. See: https://github.com/kyverno/kyverno/issues/1367. This policy validates that the `externalIPs` field is not set on a Service.
Policy Definition
/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-external-ips
5 annotations:
6 policies.kyverno.io/title: Restrict External IPs
7 policies.kyverno.io/category: Best Practices
8 policies.kyverno.io/minversion: 1.6.0
9 policies.kyverno.io/severity: medium
10 policies.kyverno.io/subject: Service
11 policies.kyverno.io/description: >-
12 Service externalIPs can be used for a MITM attack (CVE-2020-8554).
13 Restrict externalIPs or limit to a known set of addresses.
14 See: https://github.com/kyverno/kyverno/issues/1367. This policy validates
15 that the `externalIPs` field is not set on a Service.
16spec:
17 validationFailureAction: audit
18 background: true
19 rules:
20 - name: check-ips
21 match:
22 any:
23 - resources:
24 kinds:
25 - Service
26 validate:
27 message: "externalIPs are not allowed."
28 pattern:
29 spec:
30 # restrict external IP addresses
31 # you can alternatively restrict to a known set of addresses using:
32 # =(externalIPs): ["37.10.11.53", "153.10.20.1"]
33 X(externalIPs): "null"