Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent CVE-2023-2878 #1008

Draft
wants to merge 17 commits into
base: main
Choose a base branch
from

Conversation

kurktchiev
Copy link

Description

Prevent CVE-2023-2878

Checklist

  • I have read the policy contribution guidelines.
  • [] I have added test manifests and resources covering both positive and negative tests that prove this policy works as intended.
  • I have added the artifacthub-pkg.yml file and have verified it is complete and correct.

Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
@kurktchiev kurktchiev changed the title Prevent CVE-2023-2878 Prevent CVE-2023-2878 part1 May 14, 2024
@kurktchiev kurktchiev changed the title Prevent CVE-2023-2878 part1 Prevent CVE-2023-2878 May 14, 2024
kurktchiev and others added 5 commits May 14, 2024 19:02
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
Note that the test for the CSI secret store are superfluous, unless you actually install a proper CSI driver, the test is kinda meaningless

Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
@kurktchiev
Copy link
Author

Note that the test for the CSI secret store are superfluous, unless you actually install a proper CSI driver, the test is kinda meaningless

match:
resources:
kinds:
- csidriver
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty sure this kind isn't correct. They are case sensitive.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

k get csidrivers.storage.k8s.io i am missing the s though

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A kubectl get operates differently from matching kinds. Singular vs. plural also matters. Have you actually tested this yourself with this resource?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i have tested in the playground, where it does pass?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to test this in a real cluster. Playground doesn't behave the same way when it comes to kind matching.

kurktchiev and others added 7 commits July 29, 2024 16:22
…eck-if-using-csi-secrets-store-driver-cve-2023-2878.yaml

Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Boris 'B' Kurktchiev <kurktchiev@gmail.com>
…restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml

Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Boris 'B' Kurktchiev <kurktchiev@gmail.com>
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
@kurktchiev kurktchiev marked this pull request as ready for review July 30, 2024 11:54
Signed-off-by: Boris 'B' Kurktchiev <boris.kurktchiev@nirmata.com>
Copy link
Contributor

@chipzoller chipzoller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't see any test cases for these two policies, just some test resources.

@kurktchiev kurktchiev marked this pull request as draft August 6, 2024 20:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: No status
Development

Successfully merging this pull request may close these issues.

2 participants