[BUG] Pod spiderpool-init has too much RBAC permission which may leads the whole cluster being hijacked #3420
Labels
good first issue
Denotes an issue ready for a new contributor, according to the "help wanted" guidelines.
kind/bug
kind/feature
What would you like to be added?
Hi community! Our team just found a possible security issue when reading the code. We would like to discuss whether it is a real vulnerability.
Description
The bug is that the Pod
spiderpool-init
in the charts has too much RBAC permission than it needs, which may cause some security problems, and the worse one leads cluster being hijacked. The problem is that the service account ofspiderpool-init
is bound with a shared ClusterRolespiderpool-admin
(role.yaml#L5) instead of creating a separate one. This causes thespiderpool-init
have the following sensitive permissions:update
verb of thedeployments/statefulsets/daemonsets/cronjobs/replicasets/jobs
resource (ClusterRole)patch/update
verb of thenodes
resource (ClusterRole)After reading the source code of spiderpool-init, I didn't find any Kubernetes API usages using these permissions. However, these unused permissions may have some potential risks:
update
verb of thedeployments/statefulsets/daemonsets/cronjobs/replicasets/jobs
resourcepatch/update
verb of thenodes
resourceThe malicious users only need to get the service account token to perform the above attacks. There are several ways have already been reported in the real world to achieve this:
/var/run/secrets/kubernetes.io/serviceaccount/token
.Mitigation Suggestion
securityContext
of newly created pods, especially enforcing thesecurityContext.privileged
andsecurityContext.allowPrivilegeEscalation
tofalse
. This would prevent the attacker from escaping the malicious container. In old Kubernetes versions,PodSecurityPolicy
can also be used to achive this (it is deprecated in v1.21).Few Questions
References
Several CVEs had already been assigned in other projects for similar issues:
Reporter
kaaass(@kaaass )
Yseona(@Yseona )
Why is this needed?
None
How to implement it (if possible)?
None
Additional context
None
The text was updated successfully, but these errors were encountered: