Prevent CVE-2024-21626

other/block-proc-self-cve-2024-21626/artifacthub-pkg.yml

@@ -0,0 +1,19 @@
+name: block-proc-self-cve-2024-21626
+version: 1.0.0
+displayName: Block /proc/self Usage CVE-2024-21626
+createdAt: "2023-04-10T20:30:03.000Z"
+description: >-
+  This policy blocks the use of /proc/self/cwd in containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/security/block-proc-self-cve-2024-21626.yaml
+  ```
+keywords:
+  - kyverno
+  - Security
+readme: |
+  This policy blocks the use of /proc/self/cwd in containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626.
+annotations:
+  kyverno/category: "Security"
+  kyverno/subject: "Pod"
+digest: cddd7183145097fdbcae9d24bcada421a353ab4a64479b191112c1d03c73a249

other/block-proc-self-cve-2024-21626/block-proc-self-cve-2024-21626.yaml

@@ -0,0 +1,42 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-proc-self-cve-2024-21626
+  annotations:
+    policies.kyverno.io/title: Block /proc/self Usage CVE-2024-21626
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/severity: high
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: 1.26
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      This policy blocks the use of /proc/self/cwd in containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626.
+
+      Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+spec:
+  validationFailureAction: Audit
+  background: false
+  rules:
+  - name: container-exec-block-proc-self
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod/exec
+    validate:
+      message: "Pod {{ request.object.metadata.namespace }}/{{ request.object.metadata.name }} cannot use /proc/self/cwd, CVE-2024-21626"
+      deny:
+        conditions:
+          any:
+          - key: "{{ request.object.spec.containers[].args[] | contains(@, '/proc/self/cwd') }}"
+            operator: Equals
+            value: true
+          - key: "{{ request.object.spec.initContainers[].args[] | contains(@, '/proc/self/cwd') }}"
+            operator: Equals
+            value: true
+          - key: "{{ request.object.spec.ephemeralContainers[].args[] | contains(@, '/proc/self/cwd') }}"
+            operator: Equals
+            value: true
+          - key: "{{ request.object.command | contains(@, '/proc/self/cwd') }}"
+            operator: Equals
+            value: true

other/block-proc-self-mounting-cve-2024-21626/artifacthub-pkg.yml

@@ -0,0 +1,19 @@
+name: block-proc-self-mounting-cve-2024-21626
+version: 1.0.0
+displayName: Block /proc/self/fd Image Layers CVE-2024-21626
+createdAt: "2023-04-10T20:30:03.000Z"
+description: >-
+  This policy blocks the use of container images that have /proc/self/fd/ in their layers to mitigate the risk associated with CVE-2024-21626.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml
+  ```
+keywords:
+  - kyverno
+  - Security
+readme: |
+  This policy blocks the use of container images that have /proc/self/fd/ in their layers to mitigate the risk associated with CVE-2024-21626.
+annotations:
+  kyverno/category: "Security"
+  kyverno/subject: "Pod"
+digest: 318dc86c41623c157282c9e384ea6327c815bbd8e1a8fad443ac4f28884cb033

other/block-proc-self-mounting-cve-2024-21626/block-proc-self-mounting-cve-2024-21626.yaml

@@ -0,0 +1,60 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-proc-self-mounting-cve-2024-21626
+  annotations:
+    policies.kyverno.io/title: Block /proc/self/fd Image Layers CVE-2024-21626
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/severity: high
+    kyverno.io/kyverno-version: 1.11.0
+    kyverno.io/kubernetes-version: 1.27
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      This policy blocks the use of container images that have /proc/self/fd/ in their layers to mitigate the risk associated with CVE-2024-21626.
+
+      Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+spec:
+  validationFailureAction: Audit
+  rules:
+  - name: no-proc-self-images
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: "Pod {{ request.object.metadata.namespace }}/{{ request.object.metadata.name }} with images having /proc/self/fd/ in their layers are not allowed CVE-2024-21626."
+      foreach:
+      - list: "request.object.spec.containers"
+        context:
+        - name: imageData
+          imageRegistry:
+            reference: "{{ element.image }}"
+        deny:
+          conditions:
+            any:
+              - key: "{{ imageData.configData.history[].created_by | contains(@, '/proc/self/fd/') }}"
+                operator: Equals
+                value: true
+      - list: "request.object.spec.initContainers"
+        context:
+        - name: imageData
+          imageRegistry:
+            reference: "{{ element.image }}"
+        deny:
+          conditions:
+            any:
+              - key: "{{ imageData.configData.history[].created_by | contains(@, '/proc/self/fd/') }}"
+                operator: Equals
+                value: true
+      - list: "request.object.spec.ephemeralContainers"
+        context:
+        - name: imageData
+          imageRegistry:
+            reference: "{{ element.image }}"
+        deny:
+          conditions:
+            any:
+              - key: "{{ imageData.configData.history[].created_by | contains(@, '/proc/self/fd/') }}"
+                operator: Equals
+                value: true

other/check-container-run-time-cve-2024-21626/.kyverno-test/bad-node.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Node
+metadata:
+  name: bad-node
+status:
+  nodeInfo:
+    containerRuntimeVersion: containerd://1.6.27

other/check-container-run-time-cve-2024-21626/.kyverno-test/good-node.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Node
+metadata:
+  name: good-node
+status:
+  nodeInfo:
+    containerRuntimeVersion: containerd://1.6.28

other/check-container-run-time-cve-2024-21626/artifacthub-pkg.yml

@@ -0,0 +1,19 @@
+name: check-container-run-time-cve-2024-21626
+version: 1.0.0
+displayName: Check Container Runtime for CVE-2024-21626
+createdAt: "2023-04-10T20:30:03.000Z"
+description: >-
+  This policy checks for outdated container runtime versions that are vulnerable to CVE-2024-21626 and CVE-2024-23651.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml
+  ```
+keywords:
+  - kyverno
+  - Security
+readme: |
+  This policy checks for outdated container runtime versions that are vulnerable to CVE-2024-21626 and CVE-2024-23651.
+annotations:
+  kyverno/category: "Security"
+  kyverno/subject: "Node"
+digest: 1ed452b28eca0407c08e187085aefeaf653a8d6b14897c37c25a50b456d761bc

other/check-container-run-time-cve-2024-21626/check-container-run-time-cve-2024-21626.yaml

@@ -0,0 +1,45 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-container-run-time-cve-2024-21626
+  annotations:
+    policies.kyverno.io/title: Check Container Runtime for CVE-2024-21626
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/severity: high
+    kyverno.io/kyverno-version: 1.11.0
+    kyverno.io/kubernetes-version: 1.27
+    policies.kyverno.io/subject: Node
+    policies.kyverno.io/description: >-
+      This policy checks for outdated container runtime versions that are vulnerable to CVE-2024-21626 and CVE-2024-23651.
+
+      Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: container-run-time-version-outdated
+    match:
+      any:
+      - resources:
+          kinds:
+          - Node
+    context:
+    - name: cr_version
+      variable:
+        jmesPath: split(request.object.status.nodeInfo.containerRuntimeVersion, '://')[1]
+    - name: cr_runtime
+      variable:
+        jmesPath: split(request.object.status.nodeInfo.containerRuntimeVersion, '://')[0]
+    validate:
+      message: "Your container runtime is vulnerable to CVE-2024-21626 & CVE-2024-23651: {{cr_runtime}}:{{cr_version}}"
+      deny:
+        conditions:
+          any:
+          - key: |-
+              {{ cr_runtime == 'containerd' && semver_compare(cr_version, '<= 1.6.27') || false }}
+            operator: Equals
+            value: true
+          - key: |-
+              {{ cr_runtime == 'runc' && semver_compare(cr_version, '<= 1.1.11') || false }}
+            operator: Equals
+            value: true

other/disallow-proc-self-fd-workingdir-cve-2024-21626/artifacthub-pkg.yml

@@ -0,0 +1,19 @@
+name: disallow-proc-self-fd-workingdir
+version: 1.0.0
+displayName: Disallow mounting /proc/self in working directory
+createdAt: "2023-04-10T20:30:03.000Z"
+description: >-
+  This policy prevents mounting /proc/self/fd in the working directory of containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/disallow-localhost-services/disallow-localhost-services.yaml
+  ```
+keywords:
+  - kyverno
+  - Security
+readme: |
+  This policy prevents mounting /proc/self/fd in the working directory of containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626.
+annotations:
+  kyverno/category: "Security"
+  kyverno/subject: "Pod"
+digest: a56ce2540998ca8dea0af5aacf54657f50e8858984c946bb1e0d77e51508d395

other/disallow-proc-self-fd-workingdir-cve-2024-21626/disallow-proc-self-fd-workingdir-cve-2024-21626.yaml

@@ -0,0 +1,36 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-proc-self-fd-workingdir
+  annotations:
+    policies.kyverno.io/title: Disallow /proc/self/fd Mounting
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/severity: high
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kyverno-version: 1.6.0
+    kyverno.io/kubernetes-version: 1.22-1.23
+    policies.kyverno.io/description: >-
+      This policy prevents mounting /proc/self/fd in the working directory of containers, initContainers, and ephemeralContainers to mitigate the risk associated with CVE-2024-21626.
+
+      Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: no-proc-self-fd-images
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      validate:
+        message: "Mounting /proc/self/fd is not allowed CVE-2024-21626."
+        pattern:
+          spec:
+            containers:
+              - =(workingDir): "!/proc/self/fd*"
+            =(initContainers):
+              - =(workingDir): "!/proc/self/fd*"
+            =(ephemeralContainers):
+              - =(workingDir): "!/proc/self/fd*"