diff --git a/other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml b/other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml new file mode 100644 index 000000000..413fa1e59 --- /dev/null +++ b/other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml @@ -0,0 +1,19 @@ +name: block-proc-self-cve-2024-21626 +version: 1.0.0 +displayName: Block /proc/self Usage CVE-2024-21626 +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + This policy blocks the use of /proc/self/cwd in containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/security/block-proc-self-cve-2024-21626.yaml + ``` +keywords: + - kyverno + - Security +readme: | + This policy blocks the use of /proc/self/cwd in containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626. +annotations: + kyverno/category: "Security" + kyverno/subject: "Pod" +digest: cddd7183145097fdbcae9d24bcada421a353ab4a64479b191112c1d03c73a249 diff --git a/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml b/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml new file mode 100644 index 000000000..009ae1169 --- /dev/null +++ b/other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml @@ -0,0 +1,42 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-proc-self-cve-2024-21626 + annotations: + policies.kyverno.io/title: Block /proc/self Usage CVE-2024-21626 + policies.kyverno.io/category: Security + policies.kyverno.io/severity: high + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: 1.26 + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + This policy blocks the use of /proc/self/cwd in containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +spec: + validationFailureAction: Audit + background: false + rules: + - name: container-exec-block-proc-self + match: + any: + - resources: + kinds: + - Pod/exec + validate: + message: "Pod {{ request.object.metadata.namespace }}/{{ request.object.metadata.name }} cannot use /proc/self/cwd, CVE-2024-21626" + deny: + conditions: + any: + - key: "{{ request.object.spec.containers[].args[] | contains(@, '/proc/self/cwd') }}" + operator: Equals + value: true + - key: "{{ request.object.spec.initContainers[].args[] | contains(@, '/proc/self/cwd') }}" + operator: Equals + value: true + - key: "{{ request.object.spec.ephemeralContainers[].args[] | contains(@, '/proc/self/cwd') }}" + operator: Equals + value: true + - key: "{{ request.object.command | contains(@, '/proc/self/cwd') }}" + operator: Equals + value: true diff --git a/other/block-proc-self-mounting-cve-2024-21626/artifacthub-pkg.yml b/other/block-proc-self-mounting-cve-2024-21626/artifacthub-pkg.yml new file mode 100644 index 000000000..c2567c09b --- /dev/null +++ b/other/block-proc-self-mounting-cve-2024-21626/artifacthub-pkg.yml @@ -0,0 +1,19 @@ +name: block-proc-self-mounting-cve-2024-21626 +version: 1.0.0 +displayName: Block /proc/self/fd Image Layers CVE-2024-21626 +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + This policy blocks the use of container images that have /proc/self/fd/ in their layers to mitigate the risk associated with CVE-2024-21626. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml + ``` +keywords: + - kyverno + - Security +readme: | + This policy blocks the use of container images that have /proc/self/fd/ in their layers to mitigate the risk associated with CVE-2024-21626. +annotations: + kyverno/category: "Security" + kyverno/subject: "Pod" +digest: 318dc86c41623c157282c9e384ea6327c815bbd8e1a8fad443ac4f28884cb033 diff --git a/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml b/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml new file mode 100644 index 000000000..4f06c5315 --- /dev/null +++ b/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml @@ -0,0 +1,60 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-proc-self-mounting-cve-2024-21626 + annotations: + policies.kyverno.io/title: Block /proc/self/fd Image Layers CVE-2024-21626 + policies.kyverno.io/category: Security + policies.kyverno.io/severity: high + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: 1.27 + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + This policy blocks the use of container images that have /proc/self/fd/ in their layers to mitigate the risk associated with CVE-2024-21626. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +spec: + validationFailureAction: Audit + rules: + - name: no-proc-self-images + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Pod {{ request.object.metadata.namespace }}/{{ request.object.metadata.name }} with images having /proc/self/fd/ in their layers are not allowed CVE-2024-21626." + foreach: + - list: "request.object.spec.containers" + context: + - name: imageData + imageRegistry: + reference: "{{ element.image }}" + deny: + conditions: + any: + - key: "{{ imageData.configData.history[].created_by | contains(@, '/proc/self/fd/') }}" + operator: Equals + value: true + - list: "request.object.spec.initContainers" + context: + - name: imageData + imageRegistry: + reference: "{{ element.image }}" + deny: + conditions: + any: + - key: "{{ imageData.configData.history[].created_by | contains(@, '/proc/self/fd/') }}" + operator: Equals + value: true + - list: "request.object.spec.ephemeralContainers" + context: + - name: imageData + imageRegistry: + reference: "{{ element.image }}" + deny: + conditions: + any: + - key: "{{ imageData.configData.history[].created_by | contains(@, '/proc/self/fd/') }}" + operator: Equals + value: true diff --git a/other/check-container-run-time-cve-2024-21626/.kyverno-test/bad-node.yaml b/other/check-container-run-time-cve-2024-21626/.kyverno-test/bad-node.yaml new file mode 100644 index 000000000..e67bfcf5e --- /dev/null +++ b/other/check-container-run-time-cve-2024-21626/.kyverno-test/bad-node.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Node +metadata: + name: bad-node +status: + nodeInfo: + containerRuntimeVersion: containerd://1.6.27 diff --git a/other/check-container-run-time-cve-2024-21626/.kyverno-test/good-node.yaml b/other/check-container-run-time-cve-2024-21626/.kyverno-test/good-node.yaml new file mode 100644 index 000000000..226c09d19 --- /dev/null +++ b/other/check-container-run-time-cve-2024-21626/.kyverno-test/good-node.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Node +metadata: + name: good-node +status: + nodeInfo: + containerRuntimeVersion: containerd://1.6.28 diff --git a/other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml b/other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml new file mode 100644 index 000000000..7f04306e8 --- /dev/null +++ b/other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml @@ -0,0 +1,19 @@ +name: check-container-run-time-cve-2024-21626 +version: 1.0.0 +displayName: Check Container Runtime for CVE-2024-21626 +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + This policy checks for outdated container runtime versions that are vulnerable to CVE-2024-21626 and CVE-2024-23651. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml + ``` +keywords: + - kyverno + - Security +readme: | + This policy checks for outdated container runtime versions that are vulnerable to CVE-2024-21626 and CVE-2024-23651. +annotations: + kyverno/category: "Security" + kyverno/subject: "Node" +digest: 1ed452b28eca0407c08e187085aefeaf653a8d6b14897c37c25a50b456d761bc diff --git a/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml b/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml new file mode 100644 index 000000000..aa274f3ff --- /dev/null +++ b/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml @@ -0,0 +1,45 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-container-run-time-cve-2024-21626 + annotations: + policies.kyverno.io/title: Check Container Runtime for CVE-2024-21626 + policies.kyverno.io/category: Security + policies.kyverno.io/severity: high + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: 1.27 + policies.kyverno.io/subject: Node + policies.kyverno.io/description: >- + This policy checks for outdated container runtime versions that are vulnerable to CVE-2024-21626 and CVE-2024-23651. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +spec: + validationFailureAction: Audit + background: true + rules: + - name: container-run-time-version-outdated + match: + any: + - resources: + kinds: + - Node + context: + - name: cr_version + variable: + jmesPath: split(request.object.status.nodeInfo.containerRuntimeVersion, '://')[1] + - name: cr_runtime + variable: + jmesPath: split(request.object.status.nodeInfo.containerRuntimeVersion, '://')[0] + validate: + message: "Your container runtime is vulnerable to CVE-2024-21626 & CVE-2024-23651: {{cr_runtime}}:{{cr_version}}" + deny: + conditions: + any: + - key: |- + {{ cr_runtime == 'containerd' && semver_compare(cr_version, '<= 1.6.27') || false }} + operator: Equals + value: true + - key: |- + {{ cr_runtime == 'runc' && semver_compare(cr_version, '<= 1.1.11') || false }} + operator: Equals + value: true diff --git a/other/disallow-proc-self-fd-workingdir-cve-2024-21626/artifacthub-pkg.yml b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/artifacthub-pkg.yml new file mode 100644 index 000000000..62b0758f4 --- /dev/null +++ b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/artifacthub-pkg.yml @@ -0,0 +1,19 @@ +name: disallow-proc-self-fd-workingdir +version: 1.0.0 +displayName: Disallow mounting /proc/self in working directory +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + This policy prevents mounting /proc/self/fd in the working directory of containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/disallow-localhost-services/disallow-localhost-services.yaml + ``` +keywords: + - kyverno + - Security +readme: | + This policy prevents mounting /proc/self/fd in the working directory of containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626. +annotations: + kyverno/category: "Security" + kyverno/subject: "Pod" +digest: a56ce2540998ca8dea0af5aacf54657f50e8858984c946bb1e0d77e51508d395 diff --git a/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml new file mode 100644 index 000000000..4bd7a87f5 --- /dev/null +++ b/other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-proc-self-fd-workingdir + annotations: + policies.kyverno.io/title: Disallow /proc/self/fd Mounting + policies.kyverno.io/category: Security + policies.kyverno.io/severity: high + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: 1.22-1.23 + policies.kyverno.io/description: >- + This policy prevents mounting /proc/self/fd in the working directory of containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +spec: + validationFailureAction: Audit + background: true + rules: + - name: no-proc-self-fd-images + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Mounting /proc/self/fd is not allowed CVE-2024-21626." + pattern: + spec: + containers: + - =(workingDir): "!/proc/self/fd*" + =(initContainers): + - =(workingDir): "!/proc/self/fd*" + =(ephemeralContainers): + - =(workingDir): "!/proc/self/fd*"