From e8fd12487a2eaf355db8604d2f5be53a24959912 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Tue, 14 May 2024 18:42:33 -0400 Subject: [PATCH 01/12] add policy and artifacthub Signed-off-by: Boris 'B' Kurktchiev --- .../artifacthub-pkg.yaml | 20 ++++++++++++++ ...ore-csi-driver-loglevel-cve-2023-2878.yaml | 26 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yaml create mode 100644 other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yaml new file mode 100644 index 000000000..2352d4c4d --- /dev/null +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yaml @@ -0,0 +1,20 @@ +name: restrict-secrets-store-csi-driver-loglevel +version: 2.0.0 +displayName: Prevent CVE-2023-2878 +createdAt: "2024-05-10T20:30:06.000Z" +description: >- + Prevent CVE-2023-2878 which can leak security tokens in the log when logLevel is set above 1. The policy ensures that logLevel 0 or 1 is used. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Prevent CVE-2023-2878 which can leak security tokens in the log when logLevel is set above 1. The policy ensures that logLevel 0 or 1 is used. +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.29" + kyverno/subject: "Deployment" +digest: 80c2bc5cbe9081ae7ca6598f8ef435467bb487818df49a6b4c95e35f442be0e2 diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml new file mode 100644 index 000000000..9fd95b214 --- /dev/null +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-secrets-store-csi-driver-loglevel + annotations: + policies.kyverno.io/title: Prevent CVE-2023-2878 + policies.kyverno.io/category: Security + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod, Secret, CSI-Driver + kyverno.io/kyverno-version: 1.11.0 +spec: + validationFailureAction: Audit + rules: + - name: limit-secrets-store-csi-driver-loglevel + match: + any: + - resources: + kinds: + - Deployment + - DaemonSet + validate: + message: "secrets-store-csi-driver must use log level 1 or below, CVE-2023-2878." + pattern: + containers: + - name: "secrets-store" + args: "-v=0 | -v=1" From 3e9e87e447f4be7a7c23408539d50d569d4d1696 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Tue, 14 May 2024 19:02:18 -0400 Subject: [PATCH 02/12] add the second policy that works in combination Signed-off-by: Boris 'B' Kurktchiev --- .../artifacthub-pkg.yml} | 0 ...si-secrets-store-driver-cve-2023-2878.yaml | 25 +++++++++++++++++++ .../artifacthub-pkg.yml | 20 +++++++++++++++ 3 files changed, 45 insertions(+) rename other/{restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yaml => check-if-using-csi-secrets-store-driver-cve-2023-2878/artifacthub-pkg.yml} (100%) create mode 100644 other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml create mode 100644 other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yml diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yaml b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/artifacthub-pkg.yml similarity index 100% rename from other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yaml rename to other/check-if-using-csi-secrets-store-driver-cve-2023-2878/artifacthub-pkg.yml diff --git a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml new file mode 100644 index 000000000..a36ef007b --- /dev/null +++ b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-if-using-csi-secrets-store-driver + annotations: + policies.kyverno.io/title: Prevent CVE-2023-2878 + policies.kyverno.io/category: Security + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod, Secret, CSI-Driver + kyverno.io/kyverno-version: 1.11.0 +spec: + validationFailureAction: Audit + rules: + - name: check-if-using-csi-secrets-store-driver + match: + resources: + kinds: + - csidriver + validate: + message: "Potentially vulnerable to CVE-2023-2878." + pattern: + metadata: + name: "secrets-store.csi.k8s.io" + spec: + X(tokenRequests): "null" diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yml new file mode 100644 index 000000000..90ec3b0a1 --- /dev/null +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yml @@ -0,0 +1,20 @@ +name: check-if-using-csi-secrets-store-driver +version: 2.0.0 +displayName: Prevent CVE-2023-2878 +createdAt: "2024-05-10T20:30:06.000Z" +description: >- + Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.29" + kyverno/subject: "Deployment" +digest: 80c2bc5cbe9081ae7ca6598f8ef435467bb487818df49a6b4c95e35f442be0e2 From 3f38b20e743446d0df525e9cda24f20673947ff2 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 15:56:41 -0400 Subject: [PATCH 03/12] adding in good and bad tests. Note that the test for the CSI secret store are superfluous, unless you actually install a proper CSI driver, the test is kinda meaningless Signed-off-by: Boris 'B' Kurktchiev --- .../.kyverno-test/bad-csidriver.yaml | 10 ++++++++++ .../.kyverno-test/good-csidriver.yaml | 7 +++++++ .../.kyverno-test/bad-daemonset.yaml | 18 ++++++++++++++++++ .../.kyverno-test/bad-deployment.yaml | 19 +++++++++++++++++++ .../.kyverno-test/good-daemonset.yaml | 18 ++++++++++++++++++ .../.kyverno-test/good-deployment.yaml | 19 +++++++++++++++++++ 6 files changed, 91 insertions(+) create mode 100644 other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/bad-csidriver.yaml create mode 100644 other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/good-csidriver.yaml create mode 100644 other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-daemonset.yaml create mode 100644 other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-deployment.yaml create mode 100644 other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-daemonset.yaml create mode 100644 other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-deployment.yaml diff --git a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/bad-csidriver.yaml b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/bad-csidriver.yaml new file mode 100644 index 000000000..ca39fbdc4 --- /dev/null +++ b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/bad-csidriver.yaml @@ -0,0 +1,10 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: secrets-store.csi.k8s.io +spec: + attachRequired: false + podInfoOnMount: false + tokenRequests: + - audience: "vault" + expirationSeconds: 3600 diff --git a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/good-csidriver.yaml b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/good-csidriver.yaml new file mode 100644 index 000000000..63e6efb67 --- /dev/null +++ b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/good-csidriver.yaml @@ -0,0 +1,7 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: secrets-store.csi.k8s.io +spec: + attachRequired: false + podInfoOnMount: false diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-daemonset.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-daemonset.yaml new file mode 100644 index 000000000..e99399ad7 --- /dev/null +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-daemonset.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: bad-daemonset + namespace: default +spec: + selector: + matchLabels: + app: secrets-store + template: + metadata: + labels: + app: secrets-store + spec: + containers: + - name: secrets-store + image: secrets-store-csi-driver:latest + args: ["-v=3"] diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-deployment.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-deployment.yaml new file mode 100644 index 000000000..0225e57d7 --- /dev/null +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-deployment.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: secrets-store + template: + metadata: + labels: + app: secrets-store + spec: + containers: + - name: secrets-store + image: secrets-store-csi-driver:latest + args: ["-v=2"] diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-daemonset.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-daemonset.yaml new file mode 100644 index 000000000..8f5249074 --- /dev/null +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-daemonset.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: good-daemonset + namespace: default +spec: + selector: + matchLabels: + app: secrets-store + template: + metadata: + labels: + app: secrets-store + spec: + containers: + - name: secrets-store + image: secrets-store-csi-driver:latest + args: ["-v=0"] diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-deployment.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-deployment.yaml new file mode 100644 index 000000000..57a57bf93 --- /dev/null +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-deployment.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-deployment + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: secrets-store + template: + metadata: + labels: + app: secrets-store + spec: + containers: + - name: secrets-store + image: secrets-store-csi-driver:latest + args: ["-v=1"] From b00b12ece3777d27688636dcc50e8ff865bae905 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 16:22:50 -0400 Subject: [PATCH 04/12] Update other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml Co-authored-by: Chip Zoller Signed-off-by: Boris 'B' Kurktchiev --- .../check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml index a36ef007b..b54697796 100644 --- a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml +++ b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml @@ -6,7 +6,7 @@ metadata: policies.kyverno.io/title: Prevent CVE-2023-2878 policies.kyverno.io/category: Security policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod, Secret, CSI-Driver + policies.kyverno.io/subject: Pod, Secret kyverno.io/kyverno-version: 1.11.0 spec: validationFailureAction: Audit From a283e1fa923660ce2126ab073eb1e0204c2991a8 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 16:23:00 -0400 Subject: [PATCH 05/12] Update other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml Co-authored-by: Chip Zoller Signed-off-by: Boris 'B' Kurktchiev --- ...estrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml index 9fd95b214..9b32b59de 100644 --- a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml @@ -6,7 +6,7 @@ metadata: policies.kyverno.io/title: Prevent CVE-2023-2878 policies.kyverno.io/category: Security policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod, Secret, CSI-Driver + policies.kyverno.io/subject: Pod, Secret kyverno.io/kyverno-version: 1.11.0 spec: validationFailureAction: Audit From 1318891fd89c51e1040518ef66399a4611b32034 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 16:32:21 -0400 Subject: [PATCH 06/12] fix comments Signed-off-by: Boris 'B' Kurktchiev --- .../artifacthub-pkg.yml | 4 ++-- ...-if-using-csi-secrets-store-driver-cve-2023-2878.yaml | 9 +++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/artifacthub-pkg.yml b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/artifacthub-pkg.yml index 2352d4c4d..9f7e6a49b 100644 --- a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/artifacthub-pkg.yml +++ b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/artifacthub-pkg.yml @@ -3,7 +3,7 @@ version: 2.0.0 displayName: Prevent CVE-2023-2878 createdAt: "2024-05-10T20:30:06.000Z" description: >- - Prevent CVE-2023-2878 which can leak security tokens in the log when logLevel is set above 1. The policy ensures that logLevel 0 or 1 is used. + Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. install: |- ```shell kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml @@ -12,7 +12,7 @@ keywords: - kyverno - Other readme: | - Prevent CVE-2023-2878 which can leak security tokens in the log when logLevel is set above 1. The policy ensures that logLevel 0 or 1 is used. + Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.29" diff --git a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml index b54697796..f95f4fa50 100644 --- a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml +++ b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml @@ -13,11 +13,12 @@ spec: rules: - name: check-if-using-csi-secrets-store-driver match: - resources: - kinds: - - csidriver + any: + - resources: + kinds: + - csidrivers validate: - message: "Potentially vulnerable to CVE-2023-2878." + message: "Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store." pattern: metadata: name: "secrets-store.csi.k8s.io" From 822936a029ef2137e0c49341031c2912e90eae8a Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 16:54:24 -0400 Subject: [PATCH 07/12] update match Signed-off-by: Boris 'B' Kurktchiev --- ...-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml index 9b32b59de..9d9e88053 100644 --- a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml @@ -21,6 +21,9 @@ spec: validate: message: "secrets-store-csi-driver must use log level 1 or below, CVE-2023-2878." pattern: - containers: - - name: "secrets-store" - args: "-v=0 | -v=1" + spec: + template: + spec: + containers: + - name: "secrets-store" + args: "-v=0 | -v=1" From e7e923d8204c8a50ff6d2a5af39c31a468a68a46 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 16:59:10 -0400 Subject: [PATCH 08/12] add description annotation Signed-off-by: Boris 'B' Kurktchiev --- ...estrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml index 9d9e88053..c2d184eaa 100644 --- a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml @@ -8,6 +8,8 @@ metadata: policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod, Secret kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/description: >- + Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. spec: validationFailureAction: Audit rules: From 09e35bdb423a137c5b7ee35d767fc3d9a25642b6 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 16:59:47 -0400 Subject: [PATCH 09/12] adding some annotations in hopes its the right ones that are missing? Signed-off-by: Boris 'B' Kurktchiev --- .../check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml index f95f4fa50..3d692d2e1 100644 --- a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml +++ b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml @@ -8,6 +8,8 @@ metadata: policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod, Secret kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/description: >- + Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. spec: validationFailureAction: Audit rules: From dc7df8a33bdf493130971fa857b7fed27b083940 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 17:03:56 -0400 Subject: [PATCH 10/12] adding kyverno version annotation Signed-off-by: Boris 'B' Kurktchiev --- .../check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml | 1 + ...restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml index 3d692d2e1..b66aeefe6 100644 --- a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml +++ b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml @@ -8,6 +8,7 @@ metadata: policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod, Secret kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: 1.27 policies.kyverno.io/description: >- Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. spec: diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml index c2d184eaa..2619088c6 100644 --- a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml @@ -8,6 +8,7 @@ metadata: policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod, Secret kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: 1.27 policies.kyverno.io/description: >- Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. spec: From ce74ea656681c48452a9657977cdbaaaa94a9fc3 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Tue, 30 Jul 2024 08:09:48 -0400 Subject: [PATCH 11/12] change capitalization Signed-off-by: Boris 'B' Kurktchiev --- ...eck-if-using-csi-secrets-store-driver-cve-2023-2878.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml index b66aeefe6..a056343cb 100644 --- a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml +++ b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml @@ -10,7 +10,7 @@ metadata: kyverno.io/kyverno-version: 1.11.0 kyverno.io/kubernetes-version: 1.27 policies.kyverno.io/description: >- - Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. + Prevent CVE-2023-2878 which can leak security tokens when using the CSIDriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. spec: validationFailureAction: Audit rules: @@ -19,9 +19,9 @@ spec: any: - resources: kinds: - - csidrivers + - CSIDriver validate: - message: "Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store." + message: "Prevent CVE-2023-2878 which can leak security tokens when using the CSIDriver secrets store." pattern: metadata: name: "secrets-store.csi.k8s.io" From 33e52f99076df7909d8a5a03d5b8c545a01d2159 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Wed, 31 Jul 2024 10:25:15 -0400 Subject: [PATCH 12/12] update annotations Signed-off-by: Boris 'B' Kurktchiev --- ...check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml | 4 +++- ...trict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml index a056343cb..8c9bcb0e5 100644 --- a/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml +++ b/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml @@ -6,11 +6,13 @@ metadata: policies.kyverno.io/title: Prevent CVE-2023-2878 policies.kyverno.io/category: Security policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod, Secret + policies.kyverno.io/subject: CSIDriver kyverno.io/kyverno-version: 1.11.0 kyverno.io/kubernetes-version: 1.27 policies.kyverno.io/description: >- Prevent CVE-2023-2878 which can leak security tokens when using the CSIDriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ spec: validationFailureAction: Audit rules: diff --git a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml index 2619088c6..b2432f8b7 100644 --- a/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml +++ b/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml @@ -6,11 +6,13 @@ metadata: policies.kyverno.io/title: Prevent CVE-2023-2878 policies.kyverno.io/category: Security policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod, Secret + policies.kyverno.io/subject: Deployment, DaemonSet kyverno.io/kyverno-version: 1.11.0 kyverno.io/kubernetes-version: 1.27 policies.kyverno.io/description: >- Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ spec: validationFailureAction: Audit rules: