Emergency Deployment Annotation
No violationsstackroxhighdeployAlert on deployments that use the emergency annotation (e.g. "admission.stackrox.io/break-glass": "ticket-1234") to circumvent StackRox Admission Controller checks
- Rationale
- Ideally, all deployments should be validated before they are launched into the cluster; however, in case of emergency, annotations in the form of { "admission.stackrox.io/break-glass": "ticket-1234"} can be used to avoid those checks.
- Remediation
- Redeploy your service and unset the emergency annotation.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.9
- NIST SP 800-53 rev. 5
- CM-2
- PCI DSS 4.0
- 2.2.1
Generated artifacts
3 of 5 targets supportedemergency-deployment-annotation.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: emergency-deployment-annotation
annotations:
policies.kyverno.io/title: Emergency Deployment Annotation
policies.kyverno.io/category: Security Best Practices
policies.kyverno.io/severity: high
policies.kyverno.io/description: 'Alert on deployments that use the emergency annotation (e.g. "admission.stackrox.io/break-glass": "ticket-1234") to circumvent StackRox Admission Controller checks'
policies.kyverno.io/remediation: Redeploy your service and unset the emergency annotation.
policies.kyverno.io/rationale: 'Ideally, all deployments should be validated before they are launched into the cluster; however, in case of emergency, annotations in the form of { "admission.stackrox.io/break-glass": "ticket-1234"} can be used to avoid those checks.'
policies.io/source: stackrox
policies.io/source-id: 3a98be1e-d427-41ba-ad60-994e848a5554
spec:
validationFailureAction: Enforce
background: true
rules:
- name: emergency-deployment-annotation
match:
any:
- resources:
kinds:
- Pod
validate:
message: 'Policy "Emergency Deployment Annotation" violated: Alert on deployments that use the emergency annotation (e.g. "admission.stackrox.io/break-glass": "ticket-1234") to circumvent StackRox Admission Controller checks'
deny:
conditions:
all:
- key: "{{ keys(request.object.metadata.annotations || `{}`) }}"
operator: AnyIn
value:
- admission.stackrox.io/break-glass
IR (canonical)
{
"id": "3a98be1e-d427-41ba-ad60-994e848a5554",
"name": "Emergency Deployment Annotation",
"description": "Alert on deployments that use the emergency annotation (e.g. \"admission.stackrox.io/break-glass\": \"ticket-1234\") to circumvent StackRox Admission Controller checks",
"rationale": "Ideally, all deployments should be validated before they are launched into the cluster; however, in case of emergency, annotations in the form of { \"admission.stackrox.io/break-glass\": \"ticket-1234\"} can be used to avoid those checks.",
"remediation": "Redeploy your service and unset the emergency annotation.",
"severity": "high",
"categories": [
"Security Best Practices"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "disallowed-annotation",
"values": [
"admission.stackrox.io/break-glass="
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "3a98be1e-d427-41ba-ad60-994e848a5554",
"name": "Emergency Deployment Annotation",
"description": "Alert on deployments that use the emergency annotation (e.g. \"admission.stackrox.io/break-glass\": \"ticket-1234\") to circumvent StackRox Admission Controller checks",
"rationale": "Ideally, all deployments should be validated before they are launched into the cluster; however, in case of emergency, annotations in the form of { \"admission.stackrox.io/break-glass\": \"ticket-1234\"} can be used to avoid those checks.",
"remediation": "Redeploy your service and unset the emergency annotation.",
"disabled": false,
"categories": [
"Security Best Practices"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Disallowed Annotation",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "admission.stackrox.io/break-glass="
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0005",
"techniques": [
"T1610"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}