All Policies
Restrict Edit for Endpoints CVE-2021-25740
Clusters not initially installed with Kubernetes 1.22 may be vulnerable to an issue defined in CVE-2021-25740 which could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack. This was due to the system:aggregate-to-edit ClusterRole having edit permission of Endpoints. This policy, intended to run in background mode, checks if your cluster is vulnerable to CVE-2021-25740 by ensuring the system:aggregate-to-edit ClusterRole does not have the edit permission of Endpoints.
Policy Definition
/other/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-edit-for-endpoints
5 annotations:
6 policies.kyverno.io/title: Restrict Edit for Endpoints CVE-2021-25740
7 policies.kyverno.io/category: Security
8 policies.kyverno.io/severity: low
9 policies.kyverno.io/subject: ClusterRole
10 kyverno.io/kyverno-version: 1.9.0
11 kyverno.io/kubernetes-version: "1.24"
12 policies.kyverno.io/description: >-
13 Clusters not initially installed with Kubernetes 1.22 may be vulnerable to an issue
14 defined in CVE-2021-25740 which could enable users to send network traffic to locations
15 they would otherwise not have access to via a confused deputy attack. This was due to
16 the system:aggregate-to-edit ClusterRole having edit permission of Endpoints.
17 This policy, intended to run in background mode, checks if your cluster is vulnerable
18 to CVE-2021-25740 by ensuring the system:aggregate-to-edit ClusterRole does not have
19 the edit permission of Endpoints.
20spec:
21 validationFailureAction: audit
22 background: true
23 rules:
24 - name: system-aggregate-to-edit-check
25 match:
26 any:
27 - resources:
28 kinds:
29 - ClusterRole
30 names:
31 - system:aggregate-to-edit
32 validate:
33 message: >-
34 This cluster may still be vulnerable to CVE-2021-25740. The system:aggregate-to-edit ClusterRole
35 should not have edit permission over Endpoints.
36 deny:
37 conditions:
38 all:
39 - key: edit
40 operator: AnyIn
41 value: "{{ request.object.rules[?resources[?contains(@,'endpoints')]].verbs[] }}"