Prevent CVE-2023-5043 and CVE-2023-5044

other/block-nginx-annotations-cve-2023-5043-cve-2023-5044/block-nginx-annotations-cve-2023-5043-cve-2023-5044.yaml

@@ -0,0 +1,26 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-nginx-annotations-cve-2023-5043-cve-2023-5044
+  annotations:
+    policies.kyverno.io/title: Restrict Nginx Annotations
+    policies.kyverno.io/description: >-
+      Prevent the nginx-related CVE-2023-5043 and CVE-2023-5044 by blocking configuration-snippet and permanent-redirect
+    pod-policies.kyverno.io/autogen-controllers: none
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: block-nginx-annotations-cve-2023-5043-cve-2023-5044
+    match:
+      any:
+      - resources:
+          kinds:
+          - Ingress
+    validate:
+      message: Cannot use nginx.ingress.kubernetes.io annotations for configuration-snippet or permanent-redirect, remediating CVE-2023-5043 and CVE-2023-5044
+      pattern:
+        metadata:
+          =(annotations):
+            X(nginx.ingress.kubernetes.io/configuration-snippet): "*" # CVE-2023-5043
+            X(nginx.ingress.kubernetes.io/permanent-redirect): "*" # CVE-2023-5044