All Policies

Restrict Edit for Endpoints CVE-2021-25740

Clusters not initially installed with Kubernetes 1.22 may be vulnerable to an issue defined in CVE-2021-25740 which could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack. This was due to the system:aggregate-to-edit ClusterRole having edit permission of Endpoints. This policy, intended to run in background mode, checks if your cluster is vulnerable to CVE-2021-25740 by ensuring the system:aggregate-to-edit ClusterRole does not have the edit permission of Endpoints.

Policy Definition

/other/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-edit-for-endpoints
 5  annotations:
 6    policies.kyverno.io/title: Restrict Edit for Endpoints CVE-2021-25740
 7    policies.kyverno.io/category: Security
 8    policies.kyverno.io/severity: low
 9    policies.kyverno.io/subject: ClusterRole
10    kyverno.io/kyverno-version: 1.9.0
11    kyverno.io/kubernetes-version: "1.24"
12    policies.kyverno.io/description: >-
13      Clusters not initially installed with Kubernetes 1.22 may be vulnerable to an issue
14      defined in CVE-2021-25740 which could enable users to send network traffic to locations
15      they would otherwise not have access to via a confused deputy attack. This was due to
16      the system:aggregate-to-edit ClusterRole having edit permission of Endpoints.
17      This policy, intended to run in background mode, checks if your cluster is vulnerable
18      to CVE-2021-25740 by ensuring the system:aggregate-to-edit ClusterRole does not have
19      the edit permission of Endpoints.      
20spec:
21  validationFailureAction: audit
22  background: true
23  rules:
24    - name: system-aggregate-to-edit-check
25      match:
26        any:
27        - resources:
28            kinds:
29            - ClusterRole
30            names:
31            - system:aggregate-to-edit
32      validate:
33        message: >-
34          This cluster may still be vulnerable to CVE-2021-25740. The system:aggregate-to-edit ClusterRole
35          should not have edit permission over Endpoints.          
36        deny:
37          conditions:
38            all:
39            - key: edit
40              operator: AnyIn
41              value: "{{ request.object.rules[?resources[?contains(@,'endpoints')]].verbs[] }}"