diff --git a/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml b/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml index 7d4297f14..e52a59abf 100644 --- a/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml +++ b/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: check-node-for-cve-2022-0185 +name: check-node-for-cve-2022-0185-cel version: 1.0.0 -displayName: Check Node for CVE-2022-0185 -createdAt: "2023-04-10T20:30:03.000Z" +displayName: Check Node for CVE-2022-0185 in CEL expressions description: >- Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Node" -digest: ff64c6f2754226a75b84e88862af65ecc49ebad50cabd601687fd5770003f36a +digest: b422e9817a282dd268c90c7cb2f74a9e9760e8f8a654645bed1a9976581b8318 +createdAt: "2024-03-21T14:21:00Z" diff --git a/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml b/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml index a0a287a5e..fd0fb0727 100644 --- a/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml +++ b/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: check-kernel annotations: - policies.kyverno.io/title: Check Node for CVE-2022-0185 - policies.kyverno.io/category: Other + policies.kyverno.io/title: Check Node for CVE-2022-0185 in CEL expressions + policies.kyverno.io/category: Other in CEL policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Node policies.kyverno.io/description: >- Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. @@ -17,7 +17,7 @@ metadata: This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: kernel-validate @@ -27,13 +27,8 @@ spec: kinds: - Node validate: - message: "Kernel is vulnerable to CVE-2022-0185." - deny: - conditions: - any: - - key: "{{request.object.status.nodeInfo.kernelVersion}}" - operator: Equals - value: "5.10.84-1" - - key: "{{request.object.status.nodeInfo.kernelVersion}}" - operator: Equals - value: "5.15.5-2" \ No newline at end of file + cel: + expressions: + - expression: "!(object.status.nodeInfo.kernelVersion in ['5.10.84-1', '5.15.5-2'])" + message: "Kernel is vulnerable to CVE-2022-0185." + \ No newline at end of file