Detections
Analytics

Ensure custom snippets annotations is not set to true for Ingress-nginx controller deployment's Kubernetes Config Map

HIGH

Description

CVE-2021-25742: Ingress-nginx custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces.

Remediation

CVE-2021-25742 affects Ingress-nginx versions v1.0.0, and all versions less than or equal to v0.49.0. Therefore, it is recommended to either use latest version or customize the default manifest to edit 'data:allow-snippet-annotations' and set it to 'false'.

References:
https://github.com/kubernetes/ingress-nginx/issues/7837

Policy Details

Rule Reference ID: AC_K8S_0050
CSP: Kubernetes
Remediation Available: No
Domain: Security Best Practices
Resource: kubernetes_pod
Resource Category: Compute
Resource Type: Pod

Frameworks