From 4a892f6139d9eed59b32bb032234a83cd549db11 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 21 Mar 2024 14:21:27 +0000 Subject: [PATCH] convert check-node-for-cve-2022-0185 Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 ++++++----- .../check-node-for-cve-2022-0185.yaml | 27 ++++++++----------- 2 files changed, 19 insertions(+), 23 deletions(-) diff --git a/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml b/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml index 7d4297f14..e52a59abf 100644 --- a/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml +++ b/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: check-node-for-cve-2022-0185 +name: check-node-for-cve-2022-0185-cel version: 1.0.0 -displayName: Check Node for CVE-2022-0185 -createdAt: "2023-04-10T20:30:03.000Z" +displayName: Check Node for CVE-2022-0185 in CEL expressions description: >- Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Node" -digest: ff64c6f2754226a75b84e88862af65ecc49ebad50cabd601687fd5770003f36a +digest: b422e9817a282dd268c90c7cb2f74a9e9760e8f8a654645bed1a9976581b8318 +createdAt: "2024-03-21T14:21:00Z" diff --git a/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml b/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml index a0a287a5e..fd0fb0727 100644 --- a/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml +++ b/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: check-kernel annotations: - policies.kyverno.io/title: Check Node for CVE-2022-0185 - policies.kyverno.io/category: Other + policies.kyverno.io/title: Check Node for CVE-2022-0185 in CEL expressions + policies.kyverno.io/category: Other in CEL policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Node policies.kyverno.io/description: >- Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. @@ -17,7 +17,7 @@ metadata: This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: kernel-validate @@ -27,13 +27,8 @@ spec: kinds: - Node validate: - message: "Kernel is vulnerable to CVE-2022-0185." - deny: - conditions: - any: - - key: "{{request.object.status.nodeInfo.kernelVersion}}" - operator: Equals - value: "5.10.84-1" - - key: "{{request.object.status.nodeInfo.kernelVersion}}" - operator: Equals - value: "5.15.5-2" \ No newline at end of file + cel: + expressions: + - expression: "!(object.status.nodeInfo.kernelVersion in ['5.10.84-1', '5.15.5-2'])" + message: "Kernel is vulnerable to CVE-2022-0185." + \ No newline at end of file