You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The weave app should add access restrictions when a user accesses the weave app dashboard UI.
What happened?
Weave app is a dashboard UI that helps to manage the Kubernetes cluster, however, there are no access restrictions when accessing the weave app dashboard by default. Thus, without a proper weave-scope network policy, a malicious container can access the weave app dashboard inside a Kubernetes cluster, and delete any workloads in the whole cluster.
How to reproduce it?
Install the weave app following the official guide:
kubectl apply -f https://github.com/weaveworks/scope/releases/download/v1.13.2/k8s-scope.yaml
2. Install any web browser inside a malicious pod, and access the weave app dashboard.
3. A malicious pod can access the weave app dashboard UI by default, and it can leverage the dashboard UI to delete any workloads inside the whole cluster.
Anything else we need to know?
Kubernetes v1.24.2, installed by kubeadm. A three-node cluster, each node with Ubuntu 20.04 TLS.
Versions:
$ scope version
$ docker version
$ uname -a
$ kubectl version
Logs:
$ docker logs weavescope
or, if using Kubernetes:
$ kubectl logs <weave-scope-pod> -n <namespace>
The text was updated successfully, but these errors were encountered:
What you expected to happen?
The weave app should add access restrictions when a user accesses the weave app dashboard UI.
What happened?
Weave app is a dashboard UI that helps to manage the Kubernetes cluster, however, there are no access restrictions when accessing the weave app dashboard by default. Thus, without a proper weave-scope network policy, a malicious container can access the weave app dashboard inside a Kubernetes cluster, and delete any workloads in the whole cluster.
How to reproduce it?
kubectl apply -f https://github.com/weaveworks/scope/releases/download/v1.13.2/k8s-scope.yaml
2. Install any web browser inside a malicious pod, and access the weave app dashboard.
3. A malicious pod can access the weave app dashboard UI by default, and it can leverage the dashboard UI to delete any workloads inside the whole cluster.
Anything else we need to know?
Kubernetes v1.24.2, installed by kubeadm. A three-node cluster, each node with Ubuntu 20.04 TLS.
Versions:
Logs:
or, if using Kubernetes:
The text was updated successfully, but these errors were encountered: