Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent CVE-2024-3177 #1007

Draft
wants to merge 21 commits into
base: main
Choose a base branch
from
Draft

Prevent CVE-2024-3177 #1007

wants to merge 21 commits into from

Conversation

kurktchiev
Copy link

Description

Simple policy to check and prevent CVE-2024-3177

Checklist

  • I have read the policy contribution guidelines.
  • [] I have added test manifests and resources covering both positive and negative tests that prove this policy works as intended.
  • I have added the artifacthub-pkg.yml file and have verified it is complete and correct.

kurktchiev and others added 4 commits May 14, 2024 18:26
@kurktchiev
create policy and artifact-pkg
8eeff43 
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
@kurktchiev
make sure we are in Audit mode
97c03e0 
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
@kurktchiev
add a date to artifact hub
f0b2ee4 
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
@kurktchiev
Merge branch 'kyverno:main' into secrets-not-from-env-vars-cve-2024-3177
99948ec
@chipzoller
Copy link
Contributor

Ping again on these, @kurktchiev

kurktchiev and others added 4 commits July 23, 2024 11:01
@kurktchiev
Merge branch 'kyverno:main' into secrets-not-from-env-vars-cve-2024-3177
f980aad
@kurktchiev
Merge branch 'main' into secrets-not-from-env-vars-cve-2024-3177
e4a8eff
@kurktchiev
add good and bad objects
901a4ab 
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
@kurktchiev
add kube version
da3cc80 
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
@kurktchiev kurktchiev marked this pull request as ready for review July 30, 2024 11:54
chipzoller
chipzoller suggested changes Jul 30, 2024
View reviewed changes
Copy link
Contributor

@chipzoller chipzoller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No test cases associated with this policy, just a couple of test resources.

chipzoller
chipzoller suggested changes Jul 31, 2024
View reviewed changes
Copy link
Contributor

@chipzoller chipzoller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And reminder about tests.

other/secrets-not-from-env-vars-cve-2024-3177/secrets-not-from-env-vars-cve-2024-3177.yaml Show resolved Hide resolved
other/secrets-not-from-env-vars-cve-2024-3177/secrets-not-from-env-vars-cve-2024-3177.yaml Outdated Show resolved Hide resolved
other/secrets-not-from-env-vars-cve-2024-3177/secrets-not-from-env-vars-cve-2024-3177.yaml
pattern:
metadata:
annotations:
kubernetes.io/enforce-mountable-secrets: "true"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be a conditional check? I.e., if this annotation is set to true, then the pattern must be satisfied?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure will fix

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need the annotation at all?

Seems to me that the policy would be more widely applicable without it.

other/secrets-not-from-env-vars-cve-2024-3177/secrets-not-from-env-vars-cve-2024-3177.yaml Outdated Show resolved Hide resolved
other/secrets-not-from-env-vars-cve-2024-3177/artifacthub-pkg.yml Outdated Show resolved Hide resolved
other/secrets-not-from-env-vars-cve-2024-3177/artifacthub-pkg.yml Outdated Show resolved Hide resolved
other/secrets-not-from-env-vars-cve-2024-3177/artifacthub-pkg.yml Outdated Show resolved Hide resolved
other/secrets-not-from-env-vars-cve-2024-3177/artifacthub-pkg.yml Outdated Show resolved Hide resolved
other/secrets-not-from-env-vars-cve-2024-3177/artifacthub-pkg.yml Outdated Show resolved Hide resolved
other/secrets-not-from-env-vars-cve-2024-3177/artifacthub-pkg.yml Outdated Show resolved Hide resolved
kurktchiev and others added 13 commits July 31, 2024 08:51
@kurktchiev @chipzoller
Update other/secrets-not-from-env-vars-cve-2024-3177/secrets-not-from…
127938f 
…-env-vars-cve-2024-3177.yaml

Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Boris 'B' Kurktchiev <kurktchiev@gmail.com>
@kurktchiev @chipzoller
Update other/secrets-not-from-env-vars-cve-2024-3177/secrets-not-from…
aa97eb2 
…-env-vars-cve-2024-3177.yaml

Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Boris 'B' Kurktchiev <kurktchiev@gmail.com>
@kurktchiev @chipzoller
Update other/secrets-not-from-env-vars-cve-2024-3177/artifacthub-pkg.yml
d2bc6b3 
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Boris 'B' Kurktchiev <kurktchiev@gmail.com>
@kurktchiev @chipzoller
Update other/secrets-not-from-env-vars-cve-2024-3177/artifacthub-pkg.yml
1f6690e 
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Boris 'B' Kurktchiev <kurktchiev@gmail.com>
@kurktchiev @chipzoller
Update other/secrets-not-from-env-vars-cve-2024-3177/artifacthub-pkg.yml
e6b2b27 
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Boris 'B' Kurktchiev <kurktchiev@gmail.com>
@kurktchiev
Merge branch 'main' into secrets-not-from-env-vars-cve-2024-3177
55366ac
@kurktchiev @chipzoller
Update other/secrets-not-from-env-vars-cve-2024-3177/artifacthub-pkg.yml
4cddd5f 
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Boris 'B' Kurktchiev <kurktchiev@gmail.com>
@kurktchiev @chipzoller
Update other/secrets-not-from-env-vars-cve-2024-3177/secrets-not-from…
3377269 
…-env-vars-cve-2024-3177.yaml

Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Boris 'B' Kurktchiev <kurktchiev@gmail.com>
@kurktchiev
updat edescription
73f9875 
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
@kurktchiev
fix suggestions
657be9a 
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
@kurktchiev
update digest
203e2f1 
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
@kurktchiev
Merge branch 'main' into secrets-not-from-env-vars-cve-2024-3177
46ea9ed
@kurktchiev
add tests
6876562 
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
@kurktchiev kurktchiev marked this pull request as draft August 6, 2024 20:37
JimBugwadia
JimBugwadia requested changes Aug 26, 2024
View reviewed changes
other/secrets-not-from-env-vars-cve-2024-3177/secrets-not-from-env-vars-cve-2024-3177.yaml
pattern:
metadata:
annotations:
kubernetes.io/enforce-mountable-secrets: "true"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need the annotation at all?

Seems to me that the policy would be more widely applicable without it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chipzoller chipzoller chipzoller requested changes

@JimBugwadia JimBugwadia JimBugwadia requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
Good First Issues
Status: No status
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kurktchiev @chipzoller @JimBugwadia