Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent CVE-2023-2878 #1008

Draft
wants to merge 17 commits into
base: main
Choose a base branch
from
Draft

Prevent CVE-2023-2878 #1008

wants to merge 17 commits into from
+196 −0

Conversation

kurktchiev
Copy link

Description

Prevent CVE-2023-2878

Checklist

  • I have read the policy contribution guidelines.
  • [] I have added test manifests and resources covering both positive and negative tests that prove this policy works as intended.
  • I have added the artifacthub-pkg.yml file and have verified it is complete and correct.

@kurktchiev
add policy and artifacthub
e8fd124 
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
@kurktchiev kurktchiev changed the title Prevent CVE-2023-2878 Prevent CVE-2023-2878 part1 May 14, 2024
@kurktchiev kurktchiev changed the title Prevent CVE-2023-2878 part1 Prevent CVE-2023-2878 May 14, 2024
kurktchiev and others added 5 commits May 14, 2024 19:02
@kurktchiev
Copy link
Author

Note that the test for the CSI secret store are superfluous, unless you actually install a proper CSI driver, the test is kinda meaningless

chipzoller
chipzoller suggested changes Jul 29, 2024
View reviewed changes
...-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml Outdated Show resolved Hide resolved
...-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml Show resolved Hide resolved
...-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml Outdated Show resolved Hide resolved
...ecrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml Outdated Show resolved Hide resolved
...ecrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml Show resolved Hide resolved
...ecrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml Outdated Show resolved Hide resolved
...ecrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml Outdated Show resolved Hide resolved
...ecrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml Outdated
match:
resources:
kinds:
- csidriver
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty sure this kind isn't correct. They are case sensitive.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

k get csidrivers.storage.k8s.io i am missing the s though

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A kubectl get operates differently from matching kinds. Singular vs. plural also matters. Have you actually tested this yourself with this resource?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i have tested in the playground, where it does pass?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to test this in a real cluster. Playground doesn't behave the same way when it comes to kind matching.

kurktchiev and others added 7 commits July 29, 2024 16:22
@kurktchiev @chipzoller
Update other/check-if-using-csi-secrets-store-driver-cve-2023-2878/ch…
b00b12e 
…eck-if-using-csi-secrets-store-driver-cve-2023-2878.yaml

Co-authored-by: Chip Zoller <[email protected]>
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
@kurktchiev @chipzoller
Update other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/…
a283e1f 
…restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml

Co-authored-by: Chip Zoller <[email protected]>
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
@kurktchiev
fix comments
1318891 
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
@kurktchiev
update match
822936a 
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
@kurktchiev
add description annotation
e7e923d 
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
@kurktchiev
adding some annotations in hopes its the right ones that are missing?
09e35bd 
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
@kurktchiev
adding kyverno version annotation
dc7df8a 
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
@kurktchiev kurktchiev marked this pull request as ready for review July 30, 2024 11:54
@kurktchiev
change capitalization
ce74ea6 
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
chipzoller
chipzoller suggested changes Jul 30, 2024
View reviewed changes
Copy link
Contributor

@chipzoller chipzoller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't see any test cases for these two policies, just some test resources.

@kurktchiev kurktchiev marked this pull request as draft August 6, 2024 20:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chipzoller chipzoller chipzoller requested changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
Good First Issues
Status: No status
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kurktchiev @chipzoller