Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TOB-K8S-038: hostPath PersistentVolumes enable PodSecurityPolicy bypass #81110

Closed
cji opened this issue Aug 8, 2019 · 4 comments · Fixed by kubernetes/website#15756
Closed
Labels
area/security kind/documentation Categorizes issue or PR as related to documentation. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/auth Categorizes an issue or PR as relevant to SIG Auth. wg/security-audit Categorizes an issue or PR as relevant to WG Security Audit.
Milestone

Comments

@cji
Copy link
Member

cji commented Aug 8, 2019

This issue was reported in the Kubernetes Security Audit Report

Description
A PodSecurityPolicy allows a cluster administrator to specify what settings a given service account should be able to provide when creating a Pod on a cluster. If a cluster operator attempts to create a Pod with a setting not allowed by the PodSecurityPolicy associated to their account, the Pod will fail to create and return a validation error.

An attacker can bypass hostPath volume mount restrictions imposed by a PodSecurityPolicy by using the HostPath type of PersistentVolumes, and mounting the PersistentVolume through the use of a PersistentVolumeClaim. This allows the attacker access to any directory of the underlying Kubernetes node host.

As currently implemented, the PodSecurityPolicy is not granular enough to provide protections for PersistentVolumeClaim volumes. The hostPath volume supports the ability to specify allowed paths for a given Pod to mount. This restriction is not available for the PersistentVolumeClaim, and does not propagate to the hostPath PersistentVolume.

The validations for PersistentVolumes currently only ensure mount options are correct, and that the provided target path does not contain ‘..’.

Exploit Scenario
Eve gains access to Alice’s Kubernetes cluster with a service account able to create PersistentVolumes, PersistentVolumeClaims, and Pods, but restricted from mounting hostPath volumes. Eve uses her access to create a hostPath PersistentVolume and a corresponding PersistentVolumeClaim. Eve then creates a Pod mounting the PersistentVolumeClaim, effectively bypassing the PodSecurityPolicy restriction and allowing Eve to gain access to the node host filesystem where the Pod was scheduled.

See Appendix C for a proof of concept for this attack.

Recommendation
Short term, document the limitations of the allowedPaths restrictions in the PodSecurityPolicy.

Long term, add support for PersistentVolumeClaim restrictions within the PodSecurityPolicy. As a whole, the PodSecurityPolicy needs more granular controls to account for resources provided by association, such as PersistentVolumeClaims to PersistentVolumes.

Anything else we need to know?:

See #81146 for current status of all issues created from these findings.

The vendor gave this issue an ID of TOB-K8S-038 and it was finding 1 of the report.

The vendor considers this issue High Severity.

To view the original finding, begin on page 21 of the Kubernetes Security Review Report

Environment:

  • Kubernetes version: 1.13.4
@cji cji added the kind/feature Categorizes issue or PR as related to a new feature. label Aug 8, 2019
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Aug 8, 2019
@liggitt
Copy link
Member

liggitt commented Aug 8, 2019

/sig auth

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Aug 8, 2019
@joelsmith
Copy link
Contributor

/remove-kind feature
/kind bug

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. and removed kind/feature Categorizes issue or PR as related to a new feature. labels Aug 8, 2019
@liggitt
Copy link
Member

liggitt commented Aug 8, 2019

This one actually is a feature. PSP only governs pod API content. Persistent volumes are a more privileged resource to have create power over, and are out of scope for PSP

This is currently working as designed.

/remove-kind bug
/kind feature

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. and removed kind/bug Categorizes issue or PR as related to a bug. labels Aug 8, 2019
@liggitt liggitt added wg/security-audit Categorizes an issue or PR as relevant to WG Security Audit. area/security labels Aug 8, 2019
@liggitt liggitt changed the title hostPath PersistentVolumes enable PodSecurityPolicy bypass TOB-K8S-038: hostPath PersistentVolumes enable PodSecurityPolicy bypass Aug 8, 2019
@liggitt liggitt added kind/documentation Categorizes issue or PR as related to documentation. priority/backlog Higher priority than priority/awaiting-more-evidence. labels Aug 8, 2019
@liggitt
Copy link
Member

liggitt commented Aug 8, 2019

Product Security Committee response:

Control over resources other than the pod itself (including content of referenced objects like PersistentVolumeClaims/PersistentVolumes) is out of scope for PodSecurityPolicy

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems should be updated to indicate that PersistentVolumes are not limited by PodSecurityPolicy, and that only trusted volume administrators should be granted permission to create PersistentVolume objects.

@liggitt liggitt removed the kind/feature Categorizes issue or PR as related to a new feature. label Aug 8, 2019
@liggitt liggitt added this to the v1.16 milestone Aug 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security kind/documentation Categorizes issue or PR as related to documentation. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/auth Categorizes an issue or PR as relevant to SIG Auth. wg/security-audit Categorizes an issue or PR as relevant to WG Security Audit.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants