From ffd5d7522e804361fb8d167bbf00d361984fbd3a Mon Sep 17 00:00:00 2001
From: Harkirat Bhardwaj <harkiratbhardwaj@gmail.com>
Date: Tue, 26 Oct 2021 23:05:26 +1100
Subject: [PATCH] New k8s policy to detect CVE-2021-25742 (#1069)

* new k8s policy to detect CVE-2-21-25742

* added reference_id field
---
 .../rego/k8s/kubernetes_pod/AC_K8_0050.json   | 17 +++++++
 .../allowedCustomSnippetAnnotations.rego      | 45 +++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 pkg/policies/opa/rego/k8s/kubernetes_pod/AC_K8_0050.json
 create mode 100644 pkg/policies/opa/rego/k8s/kubernetes_pod/allowedCustomSnippetAnnotations.rego

diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC_K8_0050.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC_K8_0050.json
new file mode 100644
index 000000000..de6519a92
--- /dev/null
+++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC_K8_0050.json
@@ -0,0 +1,17 @@
+{
+    "name": "allowedCustomSnippetAnnotations",
+    "file": "allowedCustomSnippetAnnotations.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_deployment",
+    "template_args": {
+        "name": "allowedCustomSnippetAnnotations",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "CVE-2021-25742: Ingress-nginx custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces.",
+    "category": "Configuration and Vulnerability Analysis",
+    "reference_id": "AC_K8S_0050",
+    "version": 1,
+    "id": "AC_K8S_0050"
+}
\ No newline at end of file
diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/allowedCustomSnippetAnnotations.rego b/pkg/policies/opa/rego/k8s/kubernetes_pod/allowedCustomSnippetAnnotations.rego
new file mode 100644
index 000000000..9cd67425b
--- /dev/null
+++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/allowedCustomSnippetAnnotations.rego
@@ -0,0 +1,45 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[deployment.id] {
+    deployment := input.kubernetes_deployment[_]
+    image := deployment.config.spec.template.spec.containers[_].image
+
+    contains(image, "ingress-nginx/controller")
+    contains(image, "@sha")
+    version := split(split(image, ":v")[1], "@")
+    isVulnerableVersion(version)
+    isAllowSnippetAnnotations(deployment.config.metadata.namespace)
+}
+
+{{.prefix}}{{.name}}{{.suffix}}[deployment.id] {
+    deployment := input.kubernetes_deployment[_]
+    image := deployment.config.spec.template.spec.containers[_].image
+
+    contains(image, "ingress-nginx/controller")
+    not contains(image, "@sha")
+    version := split(image, ":v")
+    isVulnerableVersion(version)
+    isAllowSnippetAnnotations(deployment.metadata.namespace)
+}
+
+isVulnerableVersion(ver) {
+    ver[minus(count(ver), 1)] <= "0.49"
+}
+
+isVulnerableVersion(ver) {
+    ver[minus(count(ver), 1)] == "1.0.0"
+}
+
+isVulnerableVersion(ver) {
+    ver[0] <= "0.49"
+}
+
+isVulnerableVersion(ver) {
+    ver[0] == "1.0.0"
+}
+
+isAllowSnippetAnnotations(namespace) {
+    configmap := input.kubernetes_config_map[_]
+    configmap.config.metadata.namespace == namespace
+    configmap.config.data["allow-snippet-annotations"] == "true"
+}