policy for blocking externlaIps

[saiben10]

apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: restrict-external-ips annotations: policies.kyverno.io/title: Restrict External IPs policies.kyverno.io/category: Best Practices policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/severity: medium policies.kyverno.io/subject: Service policies.kyverno.io/description: >- Service externalIPs can be used for a MITM attack (https://github.com/advisories/GHSA-j9wf-vvm6-4r9w). Restrict externalIPs or limit to a known set of addresses. See: https://github.com/kyverno/kyverno/issues/1367. This policy validates that the externalIPs field is not set on a Service. spec: validationFailureAction: audit background: true rules:

name: check-ips match: any: resources: kinds: Service validate: message: "externalIPs are not allowed." pattern: spec: restrict external IP addresses you can alternatively restrict to a known set of addresses using: =(externalIPs): ["37.10.11.53", "153.10.20.1"] X(externalIPs): "null" service.yaml

apiVersion: v1 kind: Service metadata: name: test-service spec: type: LoadBalancer externalIPs:

203.0.113.1 ports: protocol: TCP port: 80 targetPort: 80 it should block the creation of service after applying the policy for me it is not working

should i need to change any thing

[epasham]

Can you post the YAMLs in proper format. It is needed to test and validate the policy

[saiben10]

apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: deny-external-ips spec: validationFailureAction: enforce background: false rules:

• name: block-external-ips match: resources: kinds:
  • Service validate: message: "Creating a service with external IPs is not allowed." deny: conditions:
  • key: "{{ request.object.spec.externalIPs }}" operator: NotEquals value: null

This is the one which i am using

[epasham]

Can you use the below policy and let me know if you face any problem https://github.com/kyverno/policies/blob/main/best-practices-cel/restrict-service-external-ips/restrict-service-external-ips.yaml

[epasham]

Tested the service and it works as expected. As a good practice include selector param in the service definition as shown below

apiVersion: v1 kind: Service metadata: name: test-service spec: selector: app: testapp type: LoadBalancer ports:

• protocol: TCP port: 80 targetPort: 80 externalIPs:
• 203.0.113.1

[epasham]

@saiben10 Can you test and confirm if the issue is resolved

[saiben10]

apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: restrict-external-ips spec: validationFailureAction: enforce background: true rules:

• name: check-ips match: any:
  • resources: kinds:
    • Service operations:
    • CREATE
    • UPDATE validate: message: "externalIPs are not allowed." pattern: spec: externalIPs: "!*"

I used the above one and it is working. Thanks

[saiben10]

apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: ingress-tls spec: validationFailureAction: enforce background: true rules:

name: tls match: any: resources: kinds: Ingress operations: CREATE UPDATE validate: message: "Ingress must have tls config." pattern: spec: tls:

• hosts:
  • "*"

this policy I am trying to use for ingress, i.e. ingress should not be created if we didn't specify tls configuration. But not working What might be the reason

[epasham]

Thanks for confirming that issue with externalIP is resolved. Suggest you to open new issue for ingress.

[realshuting]

apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: ingress-tls spec: validationFailureAction: enforce background: true rules:

name: tls match: any: resources: kinds: Ingress operations: CREATE UPDATE validate: message: "Ingress must have tls config." pattern: spec: tls:

• hosts:

  • "*"

this policy I am trying to use for ingress, i.e. ingress should not be created if we didn't specify tls configuration. But not working What might be the reason

@saiben10 - can you log a separate issue with the formatted policy and resource manifests for reproduction?

Closing this issue as externalIPs policy works.

[realshuting]

Thanks for the help @epasham !

[saiben10]

apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: ingress-tls spec: validationFailureAction: enforce background: true rules: name: tls match: any: resources: kinds: Ingress operations: CREATE UPDATE validate: message: "Ingress must have tls config." pattern: spec: tls:

• hosts:

  • "*" . this policy I am trying to use for ingress, i.e. ingress should not be created if we didn't specify tls configuration. But not working What might be the reason

@saiben10 - can you log a separate issue with the formatted policy and resource manifests for reproduction?

Closing this issue as externalIPs policy works.

yes, open a new case--> https://github.com/kyverno/policies/issues/1193

[saiben10]

Hello @epasham, I have applied the externalIp policy for restriction of externalIPs, but when i created the servcie with clusterIP also the policy is blocking.

apiVersion: v1 kind: Service metadata: name: test namespace: ns-epd-influvac-d spec: ports:

• protocol: TCP name: http port: 80 targetPort: 80 sessionAffinity: None type: ClusterIP

My Policy:

apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: k8sexternalips spec: admission: true background: false rules:

• match: resources: kinds:
  • Service name: deny-external-ips validate: message: Services with externalIPs are not allowed. pattern: spec: externalIPs: '!*' validationFailureAction: Enforce

can you please provide solution for this as we are doing this prod.