Commit bc3406a6 authored by Dima Brusilovsky's avatar Dima Brusilovsky
Browse files

docs: add security default rules

parent 250da959
Showing with 281 additions and 0 deletions
+281 -0
id: 31,
name: 'Prevent ConfigMap security vulnerability (CVE-2021-25742)'
uniqueName: 'CONFIGMAP_CVE2021_25742_INCORRECT_SNIPPET_ANNOTATIONS_VALUE'
enabledByDefault: false,
documentationUrl: 'https://hub.datree.io/-prevent-configmap-security-vulnerability-cve-2021-25742'
messageOnFailue: Missing property object `allow-snippet-annotations` - set it to "false" to override default behaviour
category: Security
schema:
if:
properties:
kind:
enum:
- ConfigMap
then:
properties:
data:
properties:
allow-snippet-annotations:
enum:
- 'false'
required:
- allow-snippet-annotations
id: 32,
name: 'Prevent Ingress security vulnerability (CVE-2021-25742)'
uniqueName: 'INGRESS_CVE2021_25742_INCORRECT_SERVER_SNIPPET_KEY'
enabledByDefault: false,
documentationUrl: 'https://hub.datree.io/-prevent-ingress-security-vulnerability-cve-2021-25742'
messageOnFailue: Forbidden property object `server-snippet` - ingress-nginx custom snippets are not allowed
category: Security
schema:
if:
properties:
kind:
enum:
- Ingress
then:
properties:
metadata:
properties:
annotations:
not:
propertyNames:
pattern: ^.*server-snippet$
id: 33,
name: 'Prevent container security vulnerability (CVE-2021-25741)'
uniqueName: 'CONTAINER_CVE2021_25741_INCORRECT_SUBPATH_KEY'
enabledByDefault: false,
documentationUrl: 'https://hub.datree.io/-prevent-container-security-vulnerability-cve-2021-25741'
messageOnFailue: Forbidden property object `subPath` - malicious users can gain access to files & directories outside of the volume
category: Security
schema:
definitions:
subPathPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
volumeMounts:
type: array
items:
propertyNames:
not:
pattern: ^subPath$
allOf:
- $ref: "#/definitions/subPathPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
id: 34,
name: 'Prevent EndpointSlice security vulnerability (CVE-2021-25737)'
uniqueName: 'ENDPOINTSLICE_CVE2021_25373_INCORRECT_ADDRESSES_VALUE'
enabledByDefault: false,
documentationUrl: 'https://hub.datree.io/-prevent-endpointslice-validation-from-enabling-host-network-hijack-cve-2021-25737'
messageOnFailue: Incorrect value for key `addresses` - IP address is within vulnerable ranges (127.0.0.0/8 and 169.254.0.0/16)
category: Security
schema:
if:
properties:
kind:
enum:
- EndpointSlice
then:
properties:
endpoints:
type: array
items:
properties:
addresses:
type: array
items:
not:
oneOf:
- pattern: ^(169\.254\.)
- pattern: ^(127\.)
apiVersion: v1
kind: ConfigMap
metadata:
creationTimestamp: 2016-02-18T18:52:05Z
name: game-config
namespace: default
resourceVersion: "516"
uid: b4952dc3-d670-11e5-8cd0-68f728db1985
data:
game.properties: |
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
ui.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice
allow-snippet-annotations: not-false
apiVersion: v1
kind: ConfigMap
metadata:
creationTimestamp: 2016-02-18T18:52:05Z
name: game-config
namespace: default
resourceVersion: "516"
uid: b4952dc3-d670-11e5-8cd0-68f728db1985
data:
game.properties: |
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
secret.code.passphrase=UUDDLRLRBABAS
secret.code.allowed=true
secret.code.lives=30
ui.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true
how.nice.to.look=fairlyNice
allow-snippet-annotations: "false"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: simple-fanout-example
annotations:
nginx.ingress.kubernetes.io/server-snippet: dekljdkfj
spec:
rules:
- host: foo.bar.com
http:
paths:
- path: /foo
pathType: Prefix
backend:
service:
name: service1
port:
number: 4200
- path: /bar
pathType: Prefix
backend:
service:
name: service2
port:
number: 8080
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: simple-fanout-example
annotations:
something: abc
spec:
rules:
- host: foo.bar.com
http:
paths:
- path: /foo
pathType: Prefix
backend:
service:
name: service1
port:
number: 4200
- path: /bar
pathType: Prefix
backend:
service:
name: service2
port:
number: 8080
apiVersion: v1
kind: Pod
metadata:
name: my-lamp-site
spec:
containers:
- name: mysql
image: mysql
env:
- name: MYSQL_ROOT_PASSWORD
value: "rootpasswd"
volumeMounts:
- mountPath: /var/lib/mysql
name: site-data
subPath: mysql
- name: php
image: php:7.0-apache
volumeMounts:
- mountPath: /var/www/html
name: site-data
subPath: html
volumes:
- name: site-data
persistentVolumeClaim:
claimName: my-lamp-site-data
apiVersion: v1
kind: Pod
metadata:
name: my-lamp-site
spec:
containers:
- name: mysql
image: mysql
env:
- name: MYSQL_ROOT_PASSWORD
value: "rootpasswd"
volumeMounts:
- mountPath: /var/lib/mysql
name: site-data
- name: php
image: php:7.0-apache
volumeMounts:
- mountPath: /var/www/html
name: site-data
volumes:
- name: site-data
persistentVolumeClaim:
claimName: my-lamp-site-data
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: example-abc
labels:
kubernetes.io/service-name: example
addressType: IPv4
ports:
- name: http
protocol: TCP
port: 80
endpoints:
- addresses:
- "10.1.2.3"
- "127.1.2.3"
conditions:
ready: true
hostname: pod-1
nodeName: node-1
zone: us-west2-a
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: example-abc
labels:
kubernetes.io/service-name: example
addressType: IPv4
ports:
- name: http
protocol: TCP
port: 80
endpoints:
- addresses:
- "10.1.2.3"
conditions:
ready: true
hostname: pod-1
nodeName: node-1
zone: us-west2-a
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment