Prevent CVE-2023-2878

other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/bad-csidriver.yaml

@@ -0,0 +1,10 @@
+apiVersion: storage.k8s.io/v1
+kind: CSIDriver
+metadata:
+  name: secrets-store.csi.k8s.io
+spec:
+  attachRequired: false
+  podInfoOnMount: false
+  tokenRequests:
+    - audience: "vault"
+      expirationSeconds: 3600

other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/good-csidriver.yaml

@@ -0,0 +1,7 @@
+apiVersion: storage.k8s.io/v1
+kind: CSIDriver
+metadata:
+  name: secrets-store.csi.k8s.io
+spec:
+  attachRequired: false
+  podInfoOnMount: false

other/check-if-using-csi-secrets-store-driver-cve-2023-2878/artifacthub-pkg.yml

@@ -0,0 +1,20 @@
+name: restrict-secrets-store-csi-driver-loglevel
+version: 2.0.0
+displayName: Prevent CVE-2023-2878
+createdAt: "2024-05-10T20:30:06.000Z"
+description: >-
+  Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml
+  ```
+keywords:
+  - kyverno
+  - Other
+readme: |
+  Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable.
+annotations:
+  kyverno/category: "Other"
+  kyverno/kubernetesVersion: "1.29"
+  kyverno/subject: "Deployment"
+digest: 80c2bc5cbe9081ae7ca6598f8ef435467bb487818df49a6b4c95e35f442be0e2

other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml

@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-if-using-csi-secrets-store-driver
+  annotations:
+    policies.kyverno.io/title: Prevent CVE-2023-2878
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: CSIDriver
+    kyverno.io/kyverno-version: 1.11.0
+    kyverno.io/kubernetes-version: 1.27
+    policies.kyverno.io/description: >-
+      Prevent CVE-2023-2878 which can leak security tokens when using the CSIDriver secrets store. The policy checks if you are using the store and warns you could be vulnerable.
+
+      Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+spec:
+  validationFailureAction: Audit
+  rules:
+  - name: check-if-using-csi-secrets-store-driver
+    match:
+      any:
+      - resources:
+          kinds:
+            - CSIDriver
+    validate:
+      message: "Prevent CVE-2023-2878 which can leak security tokens when using the CSIDriver secrets store."
+      pattern:
+        metadata:
+          name: "secrets-store.csi.k8s.io"
+        spec:
+          X(tokenRequests): "null"

other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-daemonset.yaml

@@ -0,0 +1,18 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: bad-daemonset
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      app: secrets-store
+  template:
+    metadata:
+      labels:
+        app: secrets-store
+    spec:
+      containers:
+      - name: secrets-store
+        image: secrets-store-csi-driver:latest
+        args: ["-v=3"]

other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-deployment.yaml

@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bad-deployment
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: secrets-store
+  template:
+    metadata:
+      labels:
+        app: secrets-store
+    spec:
+      containers:
+      - name: secrets-store
+        image: secrets-store-csi-driver:latest
+        args: ["-v=2"]

other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-daemonset.yaml

@@ -0,0 +1,18 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: good-daemonset
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      app: secrets-store
+  template:
+    metadata:
+      labels:
+        app: secrets-store
+    spec:
+      containers:
+      - name: secrets-store
+        image: secrets-store-csi-driver:latest
+        args: ["-v=0"]

other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-deployment.yaml

@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: good-deployment
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: secrets-store
+  template:
+    metadata:
+      labels:
+        app: secrets-store
+    spec:
+      containers:
+      - name: secrets-store
+        image: secrets-store-csi-driver:latest
+        args: ["-v=1"]

other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yml

@@ -0,0 +1,20 @@
+name: check-if-using-csi-secrets-store-driver
+version: 2.0.0
+displayName: Prevent CVE-2023-2878
+createdAt: "2024-05-10T20:30:06.000Z"
+description: >-
+  Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml
+  ```
+keywords:
+  - kyverno
+  - Other
+readme: |
+  Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable.
+annotations:
+  kyverno/category: "Other"
+  kyverno/kubernetesVersion: "1.29"
+  kyverno/subject: "Deployment"
+digest: 80c2bc5cbe9081ae7ca6598f8ef435467bb487818df49a6b4c95e35f442be0e2

other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml

@@ -0,0 +1,34 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-secrets-store-csi-driver-loglevel
+  annotations:
+    policies.kyverno.io/title: Prevent CVE-2023-2878
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Deployment, DaemonSet
+    kyverno.io/kyverno-version: 1.11.0
+    kyverno.io/kubernetes-version: 1.27
+    policies.kyverno.io/description: >-
+      Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable.
+
+      Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+spec:
+  validationFailureAction: Audit
+  rules:
+  - name: limit-secrets-store-csi-driver-loglevel
+    match:
+      any:
+      - resources:
+          kinds:
+          - Deployment
+          - DaemonSet
+    validate:
+      message: "secrets-store-csi-driver must use log level 1 or below, CVE-2023-2878."
+      pattern:
+        spec:
+          template:
+            spec:
+              containers:
+                - name: "secrets-store"
+                  args: "-v=0 | -v=1"