diff --git a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/bad-csidriver.yaml b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/bad-csidriver.yaml new file mode 100644 index 000000000..ca39fbdc4 --- /dev/null +++ b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/bad-csidriver.yaml @@ -0,0 +1,10 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: secrets-store.csi.k8s.io +spec: + attachRequired: false + podInfoOnMount: false + tokenRequests: + - audience: "vault" + expirationSeconds: 3600 diff --git a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/good-csidriver.yaml b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/good-csidriver.yaml new file mode 100644 index 000000000..63e6efb67 --- /dev/null +++ b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/good-csidriver.yaml @@ -0,0 +1,7 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: secrets-store.csi.k8s.io +spec: + attachRequired: false + podInfoOnMount: false diff --git a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/artifacthub-pkg.yml b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/artifacthub-pkg.yml new file mode 100644 index 000000000..9f7e6a49b --- /dev/null +++ b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/artifacthub-pkg.yml @@ -0,0 +1,20 @@ +name: restrict-secrets-store-csi-driver-loglevel +version: 2.0.0 +displayName: Prevent CVE-2023-2878 +createdAt: "2024-05-10T20:30:06.000Z" +description: >- + Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.29" + kyverno/subject: "Deployment" +digest: 80c2bc5cbe9081ae7ca6598f8ef435467bb487818df49a6b4c95e35f442be0e2 diff --git a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml new file mode 100644 index 000000000..8c9bcb0e5 --- /dev/null +++ b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-if-using-csi-secrets-store-driver + annotations: + policies.kyverno.io/title: Prevent CVE-2023-2878 + policies.kyverno.io/category: Security + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: CSIDriver + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: 1.27 + policies.kyverno.io/description: >- + Prevent CVE-2023-2878 which can leak security tokens when using the CSIDriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +spec: + validationFailureAction: Audit + rules: + - name: check-if-using-csi-secrets-store-driver + match: + any: + - resources: + kinds: + - CSIDriver + validate: + message: "Prevent CVE-2023-2878 which can leak security tokens when using the CSIDriver secrets store." + pattern: + metadata: + name: "secrets-store.csi.k8s.io" + spec: + X(tokenRequests): "null" diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-daemonset.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-daemonset.yaml new file mode 100644 index 000000000..e99399ad7 --- /dev/null +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-daemonset.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: bad-daemonset + namespace: default +spec: + selector: + matchLabels: + app: secrets-store + template: + metadata: + labels: + app: secrets-store + spec: + containers: + - name: secrets-store + image: secrets-store-csi-driver:latest + args: ["-v=3"] diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-deployment.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-deployment.yaml new file mode 100644 index 000000000..0225e57d7 --- /dev/null +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-deployment.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: secrets-store + template: + metadata: + labels: + app: secrets-store + spec: + containers: + - name: secrets-store + image: secrets-store-csi-driver:latest + args: ["-v=2"] diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-daemonset.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-daemonset.yaml new file mode 100644 index 000000000..8f5249074 --- /dev/null +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-daemonset.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: good-daemonset + namespace: default +spec: + selector: + matchLabels: + app: secrets-store + template: + metadata: + labels: + app: secrets-store + spec: + containers: + - name: secrets-store + image: secrets-store-csi-driver:latest + args: ["-v=0"] diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-deployment.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-deployment.yaml new file mode 100644 index 000000000..57a57bf93 --- /dev/null +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-deployment.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-deployment + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: secrets-store + template: + metadata: + labels: + app: secrets-store + spec: + containers: + - name: secrets-store + image: secrets-store-csi-driver:latest + args: ["-v=1"] diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yml new file mode 100644 index 000000000..90ec3b0a1 --- /dev/null +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yml @@ -0,0 +1,20 @@ +name: check-if-using-csi-secrets-store-driver +version: 2.0.0 +displayName: Prevent CVE-2023-2878 +createdAt: "2024-05-10T20:30:06.000Z" +description: >- + Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.29" + kyverno/subject: "Deployment" +digest: 80c2bc5cbe9081ae7ca6598f8ef435467bb487818df49a6b4c95e35f442be0e2 diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml new file mode 100644 index 000000000..b2432f8b7 --- /dev/null +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-secrets-store-csi-driver-loglevel + annotations: + policies.kyverno.io/title: Prevent CVE-2023-2878 + policies.kyverno.io/category: Security + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Deployment, DaemonSet + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: 1.27 + policies.kyverno.io/description: >- + Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +spec: + validationFailureAction: Audit + rules: + - name: limit-secrets-store-csi-driver-loglevel + match: + any: + - resources: + kinds: + - Deployment + - DaemonSet + validate: + message: "secrets-store-csi-driver must use log level 1 or below, CVE-2023-2878." + pattern: + spec: + template: + spec: + containers: + - name: "secrets-store" + args: "-v=0 | -v=1"