Detections
Analytics

Ensure metadata annotations are restricted in an Ingress object

HIGH

Description

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

Remediation

The vulnerability is patched in ingress-nginx versions 0.49.1, 1.0.1, and later, but can also be mitigated by restricting the .metadata.annotations field on networking.k8s.io/Ingress resource.

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-25742
https://github.com/kubernetes/ingress-nginx/issues/7837

Policy Details

Rule Reference ID: AC_K8S_0127
CSP: Kubernetes
Remediation Available: No
Domain: Infrastructure Security
Resource: kubernetes_ingress_nginx
Resource Category: Virtual Network
Resource Type: Ingress

Frameworks