-
Notifications
You must be signed in to change notification settings - Fork 497
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
check for loopback addresses in endpoint slice (#830)
- Loading branch information
1 parent
48f92ef
commit 358fc67
Showing
2 changed files
with
26 additions
and
0 deletions.
There are no files selected for viewing
17 changes: 17 additions & 0 deletions
17
pkg/policies/opa/rego/k8s/kubernetes_endpoint_slice/AC_K8S_0113.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
{ | ||
"name": "loopbackAddressUsed", | ||
"file": "loopbackAddressUsed.rego", | ||
"policy_type": "k8s", | ||
"resource_type": "kubernetes_endpoint_slice", | ||
"template_args": { | ||
"name": "loopbackAddressUsed", | ||
"prefix": "", | ||
"suffix": "" | ||
}, | ||
"severity": "LOW", | ||
"description": "Ensure endpoint slice is not created or updated with loopback addresses as this acts as an attack vector for exploiting CVE-2021-25737 by an authorized user", | ||
"reference_id": "AC_K8S_0113", | ||
"id": "AC_K8S_0113", | ||
"category": "Infrastructure Security", | ||
"version": 1 | ||
} |
9 changes: 9 additions & 0 deletions
9
pkg/policies/opa/rego/k8s/kubernetes_endpoint_slice/loopbackAddressUsed.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
package accurics | ||
|
||
{{.prefix}}{{.name}}{{.suffix}}[endpoint_slice.id] { | ||
endpoint_slice = input.kubernetes_endpoint_slice[_] | ||
address := endpoint_slice.config.endpoints[_].addresses[_] | ||
|
||
not_allowed_addresses := ["127.0.0.0/8", "169.254.0.0/16"] | ||
net.cidr_contains(not_allowed_addresses[_], address) | ||
} |