Back to catalog

Emergency Deployment Annotation

No violationsstackroxhighdeploy

Alert on deployments that use the emergency annotation (e.g. "admission.stackrox.io/break-glass": "ticket-1234") to circumvent StackRox Admission Controller checks

Rationale
Ideally, all deployments should be validated before they are launched into the cluster; however, in case of emergency, annotations in the form of { "admission.stackrox.io/break-glass": "ticket-1234"} can be used to avoid those checks.
Remediation
Redeploy your service and unset the emergency annotation.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.9
NIST SP 800-53 rev. 5
CM-2
PCI DSS 4.0
2.2.1

Generated artifacts

3 of 5 targets supported
emergency-deployment-annotation.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: emergency-deployment-annotation
  annotations:
    policies.kyverno.io/title: Emergency Deployment Annotation
    policies.kyverno.io/category: Security Best Practices
    policies.kyverno.io/severity: high
    policies.kyverno.io/description: 'Alert on deployments that use the emergency annotation (e.g. "admission.stackrox.io/break-glass": "ticket-1234") to circumvent StackRox Admission Controller checks'
    policies.kyverno.io/remediation: Redeploy your service and unset the emergency annotation.
    policies.kyverno.io/rationale: 'Ideally, all deployments should be validated before they are launched into the cluster; however, in case of emergency, annotations in the form of { "admission.stackrox.io/break-glass": "ticket-1234"} can be used to avoid those checks.'
    policies.io/source: stackrox
    policies.io/source-id: 3a98be1e-d427-41ba-ad60-994e848a5554
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: emergency-deployment-annotation
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: 'Policy "Emergency Deployment Annotation" violated: Alert on deployments that use the emergency annotation (e.g. "admission.stackrox.io/break-glass": "ticket-1234") to circumvent StackRox Admission Controller checks'
        deny:
          conditions:
            all:
              - key: "{{ keys(request.object.metadata.annotations || `{}`) }}"
                operator: AnyIn
                value:
                  - admission.stackrox.io/break-glass
IR (canonical)
{
  "id": "3a98be1e-d427-41ba-ad60-994e848a5554",
  "name": "Emergency Deployment Annotation",
  "description": "Alert on deployments that use the emergency annotation (e.g. \"admission.stackrox.io/break-glass\": \"ticket-1234\") to circumvent StackRox Admission Controller checks",
  "rationale": "Ideally, all deployments should be validated before they are launched into the cluster; however, in case of emergency, annotations in the form of { \"admission.stackrox.io/break-glass\": \"ticket-1234\"} can be used to avoid those checks.",
  "remediation": "Redeploy your service and unset the emergency annotation.",
  "severity": "high",
  "categories": [
    "Security Best Practices"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "disallowed-annotation",
    "values": [
      "admission.stackrox.io/break-glass="
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "3a98be1e-d427-41ba-ad60-994e848a5554",
  "name": "Emergency Deployment Annotation",
  "description": "Alert on deployments that use the emergency annotation (e.g. \"admission.stackrox.io/break-glass\": \"ticket-1234\") to circumvent StackRox Admission Controller checks",
  "rationale": "Ideally, all deployments should be validated before they are launched into the cluster; however, in case of emergency, annotations in the form of { \"admission.stackrox.io/break-glass\": \"ticket-1234\"} can be used to avoid those checks.",
  "remediation": "Redeploy your service and unset the emergency annotation.",
  "disabled": false,
  "categories": [
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Disallowed Annotation",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "admission.stackrox.io/break-glass="
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0005",
      "techniques": [
        "T1610"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}