Prevent CVE-2022-4886

other/block-ingress-path-type-cve-2022-4886/.chainsaw-test/bad-ingress.yaml

@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bad-ingress
+spec:
+  rules:
+  - host: example.com
+    http:
+      paths:
+      - path: /testpath
+        pathType: Exact
+        backend:
+          service:
+            name: test-service
+            port:
+              number: 80

other/block-ingress-path-type-cve-2022-4886/.chainsaw-test/chainsaw-step-01-assert-1.yaml

@@ -0,0 +1,5 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: secrets-not-from-env-vars-cve-2024-3177
+  ready: true

other/block-ingress-path-type-cve-2022-4886/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,29 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: secrets-not-from-env-vars-cve-2024-3177
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../secrets-not-from-env-vars-cve-2024-3177.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: secrets-not-from-env-vars-cve-2024-3177
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: good-pod.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: bad-pod.yaml

other/block-ingress-path-type-cve-2022-4886/.chainsaw-test/good-ingress.yaml

@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: good-ingress
+spec:
+  rules:
+  - host: example.com
+    http:
+      paths:
+      - path: /testpath
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: test-service
+            port:
+              number: 80

other/block-ingress-path-type-cve-2022-4886/artifacthub-pkg.yml

@@ -0,0 +1,19 @@
+name: block-ingress-path-type-cve-2022-4886
+version: 1.0.0
+displayName: Block Ingress Path Types
+createdAt: "2023-04-10T20:30:03.000Z"
+description: >-
+  This policy blocks specific Ingress path types to mitigate the risk associated with CVE-2022-4886.
+install: |-
+  \```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/block-ingress-path-type-cve-2022-4886/block-ingress-path-type-cve-2022-4886.yaml
+  \```
+keywords:
+  - kyverno
+  - Security
+readme: |
+  This policy blocks specific Ingress path types to mitigate the risk associated with CVE-2022-4886.
+annotations:
+  kyverno/category: "Security"
+  kyverno/subject: "Ingress"
+digest: dc38bca58426dc3603c216f98d5818df7decce68be4ccf2046c1f5b3c201a922

other/block-ingress-path-type-cve-2022-4886/block-ingress-path-type-cve-2022-4886.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-ingress-path-type-cve-2022-4886
+  annotations:
+    policies.kyverno.io/title: Block Ingress Path Types
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.11.0
+    kyverno.io/kubernetes-version: 1.27
+    policies.kyverno.io/subject: Ingress
+    policies.kyverno.io/description: >-
+      This policy blocks specific Ingress path types to mitigate the risk associated with CVE-2022-4886.
+
+      Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+spec:
+  validationFailureAction: Audit
+  rules:
+    - name: block-specific-path-types-cve-2022-4886
+      match:
+        any:
+          - resources:
+            kinds:
+              - Ingress
+      validate:
+        message: "pathType '/{{request.object.spec.rules[].http.paths[].pathType}}' is not allowed in this namespace CVE-2022-4886"
+        deny:
+          conditions:
+            all:
+              - key: "{{request.object.spec.rules[].http.paths[].pathType | [] }}"
+                operator: AnyNotIn
+                value: [ImplementationSpecific]