Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent CVE-2023-2878 #1008

Draft
wants to merge 17 commits into
base: main
Choose a base branch
from
Draft

Prevent CVE-2023-2878 #1008

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
e8fd124
add policy and artifacthub
kurktchiev May 14, 2024
3e9e87e
add the second policy that works in combination
kurktchiev May 14, 2024
ed01999
Merge branch 'kyverno:main' into restrict-secrets-store-csi-driver-lo…
kurktchiev Jun 11, 2024
df61a43
Merge branch 'kyverno:main' into restrict-secrets-store-csi-driver-lo…
kurktchiev Jul 23, 2024
900b453
Merge branch 'main' into restrict-secrets-store-csi-driver-loglevel-c…
kurktchiev Jul 29, 2024
3f38b20
adding in good and bad tests.
kurktchiev Jul 29, 2024
b00b12e
Update other/check-if-using-csi-secrets-store-driver-cve-2023-2878/ch…
kurktchiev Jul 29, 2024
a283e1f
Update other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878…
kurktchiev Jul 29, 2024
1318891
fix comments
kurktchiev Jul 29, 2024
822936a
update match
kurktchiev Jul 29, 2024
e7e923d
add description annotation
kurktchiev Jul 29, 2024
09e35bd
adding some annotations in hopes its the right ones that are missing?
kurktchiev Jul 29, 2024
dc7df8a
adding kyverno version annotation
kurktchiev Jul 29, 2024
ce74ea6
change capitalization
kurktchiev Jul 30, 2024
c099b3b
Merge branch 'main' into restrict-secrets-store-csi-driver-loglevel-c…
kurktchiev Jul 31, 2024
33e52f9
update annotations
kurktchiev Jul 31, 2024
6b3b183
Merge branch 'main' into restrict-secrets-store-csi-driver-loglevel-c…
kurktchiev Aug 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions other/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/bad-csidriver.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: secrets-store.csi.k8s.io
spec:
attachRequired: false
podInfoOnMount: false
tokenRequests:
- audience: "vault"
expirationSeconds: 3600
7 changes: 7 additions & 0 deletions ...r/check-if-using-csi-secrets-store-driver-cve-2023-2878/.kyverno-test/good-csidriver.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: secrets-store.csi.k8s.io
spec:
attachRequired: false
podInfoOnMount: false
20 changes: 20 additions & 0 deletions other/check-if-using-csi-secrets-store-driver-cve-2023-2878/artifacthub-pkg.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: restrict-secrets-store-csi-driver-loglevel
version: 2.0.0
displayName: Prevent CVE-2023-2878
createdAt: "2024-05-10T20:30:06.000Z"
description: >-
Prevent CVE-2023-2878 which can leak security tokens in the log when logLevel is set above 1. The policy ensures that logLevel 0 or 1 is used.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml
```
keywords:
- kyverno
- Other
readme: |
Prevent CVE-2023-2878 which can leak security tokens in the log when logLevel is set above 1. The policy ensures that logLevel 0 or 1 is used.
annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.29"
kyverno/subject: "Deployment"
digest: 80c2bc5cbe9081ae7ca6598f8ef435467bb487818df49a6b4c95e35f442be0e2
25 changes: 25 additions & 0 deletions ...ets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-if-using-csi-secrets-store-driver
annotations:
kurktchiev marked this conversation as resolved.
Show resolved Hide resolved
policies.kyverno.io/title: Prevent CVE-2023-2878
policies.kyverno.io/category: Security
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod, Secret, CSI-Driver
kurktchiev marked this conversation as resolved.
Show resolved Hide resolved
kyverno.io/kyverno-version: 1.11.0
spec:
validationFailureAction: Audit
rules:
- name: check-if-using-csi-secrets-store-driver
match:
resources:
kinds:
kurktchiev marked this conversation as resolved.
Show resolved Hide resolved
- csidriver
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty sure this kind isn't correct. They are case sensitive.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

k get csidrivers.storage.k8s.io i am missing the s though

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A kubectl get operates differently from matching kinds. Singular vs. plural also matters. Have you actually tested this yourself with this resource?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i have tested in the playground, where it does pass?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to test this in a real cluster. Playground doesn't behave the same way when it comes to kind matching.

validate:
message: "Potentially vulnerable to CVE-2023-2878."
kurktchiev marked this conversation as resolved.
Show resolved Hide resolved
pattern:
metadata:
name: "secrets-store.csi.k8s.io"
spec:
X(tokenRequests): "null"
18 changes: 18 additions & 0 deletions ...restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: bad-daemonset
namespace: default
spec:
selector:
matchLabels:
app: secrets-store
template:
metadata:
labels:
app: secrets-store
spec:
containers:
- name: secrets-store
image: secrets-store-csi-driver:latest
args: ["-v=3"]
19 changes: 19 additions & 0 deletions ...estrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/bad-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: bad-deployment
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: secrets-store
template:
metadata:
labels:
app: secrets-store
spec:
containers:
- name: secrets-store
image: secrets-store-csi-driver:latest
args: ["-v=2"]
18 changes: 18 additions & 0 deletions ...estrict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: good-daemonset
namespace: default
spec:
selector:
matchLabels:
app: secrets-store
template:
metadata:
labels:
app: secrets-store
spec:
containers:
- name: secrets-store
image: secrets-store-csi-driver:latest
args: ["-v=0"]
19 changes: 19 additions & 0 deletions ...strict-secrets-store-csi-driver-loglevel-cve-2023-2878/.kyverno-test/good-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: good-deployment
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: secrets-store
template:
metadata:
labels:
app: secrets-store
spec:
containers:
- name: secrets-store
image: secrets-store-csi-driver:latest
args: ["-v=1"]
20 changes: 20 additions & 0 deletions other/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878/artifacthub-pkg.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: check-if-using-csi-secrets-store-driver
version: 2.0.0
displayName: Prevent CVE-2023-2878
createdAt: "2024-05-10T20:30:06.000Z"
description: >-
Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-if-using-csi-secrets-store-driver-cve-2023-2878/check-if-using-csi-secrets-store-driver-cve-2023-2878.yaml
```
keywords:
- kyverno
- Other
readme: |
Prevent CVE-2023-2878 which can leak security tokens when using the csidriver secrets store. The policy checks if you are using the store and warns you could be vulnerable.
annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.29"
kyverno/subject: "Deployment"
digest: 80c2bc5cbe9081ae7ca6598f8ef435467bb487818df49a6b4c95e35f442be0e2
26 changes: 26 additions & 0 deletions ...iver-loglevel-cve-2023-2878/restrict-secrets-store-csi-driver-loglevel-cve-2023-2878.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-secrets-store-csi-driver-loglevel
annotations:
kurktchiev marked this conversation as resolved.
Show resolved Hide resolved
policies.kyverno.io/title: Prevent CVE-2023-2878
policies.kyverno.io/category: Security
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod, Secret, CSI-Driver
kurktchiev marked this conversation as resolved.
Show resolved Hide resolved
kyverno.io/kyverno-version: 1.11.0
spec:
validationFailureAction: Audit
rules:
- name: limit-secrets-store-csi-driver-loglevel
match:
any:
- resources:
kinds:
- Deployment
- DaemonSet
validate:
message: "secrets-store-csi-driver must use log level 1 or below, CVE-2023-2878."
pattern:
containers:
- name: "secrets-store"
args: "-v=0 | -v=1"
kurktchiev marked this conversation as resolved.
Show resolved Hide resolved