OPA Gatekeeper Bypass Reveals Risks in Kubernetes Policy Engines
ID: ca130849-1952-541b-8789-01f202360288
STIX ID: report--ca130849-1952-541b-8789-01f202360288
Feed Name: Aqua Security Blog
Threat Score
This blog analyzes how OPA Gatekeeper's k8sallowedrepos policy can be bypassed due to prefix-based Rego functions and misconfigured constraint values (notably missing trailing slashes), demonstrates domain and Docker Hub namespace bypass scenarios, compares related risks in Kyverno, and provides mitigations including a new k8sallowedreposv2 policy and scanning recommendations.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.