Release Summary

InsightCloudSec is pleased to announce Kubernetes Scanner Release v.4.0.6. This release includes new Insights for Kubernetes CVEs and a Kubernetes scan report fix. The following packages are included:

• Helm chart version - 4.0.6

  • Internal components and their versions are in the chart value file. You can easily view the data using the following command:

    helm show values <chart name> | grep -E 'Name:|Version:'

New

• Two new Insights have been added to correct Kubernetes CVEs:
  • Ensure that Ingress-nginx path type is configured with secure options - Ingress-nginx path sanitization can be bypassed with log_format directive. When pathType is configured as Exact or Prefix, there is more strict validation, allowing only paths starting with forward slash (/) and containing only alphanumeric characters, hyphens (-), underscores (_), and additional forward slashes (/). When this option is enabled, the validation happens in the Admission Webhook, denying creation of any Ingress containing invalid characters, these security configuration aren’t being applied if pathType is ImplementationSpecific.
  • Enforce Restrictions On The Contents Of Ingress-nginx Annotation Fields - As per CVE-2023-5043 and CVE-2023-5044 - Ingress nginx annotation injection causes arbitrary command execution.

Fixed

• Resolved missing Gatekeeper Constraints in Kubernetes scan report