Skip to content

Commit

Permalink
copy check-node-for-cve-2022-0185
Browse files Browse the repository at this point in the history 
Signed-off-by: Chandan-DK <[email protected]>
  • Loading branch information
@Chandan-DK
Chandan-DK committed Mar 21, 2024
1 parent d691d7b commit f284a73
Show file tree
Hide file tree
Showing 2 changed files with 61 additions and 0 deletions.
22 changes: 22 additions & 0 deletions other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: check-node-for-cve-2022-0185
version: 1.0.0
displayName: Check Node for CVE-2022-0185
createdAt: "2023-04-10T20:30:03.000Z"
description: >-
Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml
```
keywords:
- kyverno
- Other
readme: |
Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions.
Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Node"
digest: ff64c6f2754226a75b84e88862af65ecc49ebad50cabd601687fd5770003f36a
39 changes: 39 additions & 0 deletions other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-kernel
annotations:
policies.kyverno.io/title: Check Node for CVE-2022-0185
policies.kyverno.io/category: Other
policies.kyverno.io/severity: high
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/subject: Node
policies.kyverno.io/description: >-
Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched.
The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2.
For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185.
This policy runs in background mode and flags an entry in the ClusterPolicyReport
if any Node is reporting one of the affected kernel versions.
spec:
validationFailureAction: audit
background: true
rules:
- name: kernel-validate
match:
any:
- resources:
kinds:
- Node
validate:
message: "Kernel is vulnerable to CVE-2022-0185."
deny:
conditions:
any:
- key: "{{request.object.status.nodeInfo.kernelVersion}}"
operator: Equals
value: "5.10.84-1"
- key: "{{request.object.status.nodeInfo.kernelVersion}}"
operator: Equals
value: "5.15.5-2"

0 comments on commit f284a73

Please sign in to comment.