Log4Shell Mitigation

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: log4shell-mitigation
 5  annotations:
 6    policies.kyverno.io/title: Log4Shell Mitigation
 7    policies.kyverno.io/subject: Pod
 8    kyverno.io/kyverno-version: 1.6.2
 9    kyverno.io/kubernetes-version: "1.23"
10    policies.kyverno.io/category: Sample
11    policies.kyverno.io/description: >-
12      In response to CVE-2021-44228 referred to as Log4Shell, a RCE vulnerability in the Log4j library, a
13      partial yet incomplete workaround for versions 2.10 to 2.14.1 of the library is to set the environment
14      variable LOG4J_FORMAT_MSG_NO_LOOKUPS to "true". While this does provide some
15      benefit by limiting exposure, there are still code paths which can exploit
16      this vulnerability. It is highly recommended to upgrade log4j as soon as possible.
17      See https://logging.apache.org/log4j/2.x/security.html for more details.
18      This policy will mutate all initContainers and containers in an
19      incoming Pod to add this environment variable automatically.      
20spec:
21  rules:
22  - name: add-log4shell-mitigation-initcontainers
23    match:
24      resources:
25        kinds:
26        - Pod
27    mutate:
28      patchStrategicMerge:
29        spec:
30          initContainers:
31            - (name): "*"
32              env:
33              - name: LOG4J_FORMAT_MSG_NO_LOOKUPS
34                value: "true"
35  - name: add-log4shell-mitigation-containers
36    match:
37      resources:
38        kinds:
39        - Pod
40    mutate:
41      patchStrategicMerge:
42        spec:
43          containers:
44            - (name): "*"
45              env:
46              - name: LOG4J_FORMAT_MSG_NO_LOOKUPS
47                value: "true"