CVE-2017-1000056: PodSecurityPolicy admission plugin authorizes incorrectly #43459
Labels
area/security
kind/bug
Categorizes issue or PR as related to a bug.
official-cve-feed
Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
sig/auth
Categorizes an issue or PR as relevant to SIG Auth.
Milestone
A PodSecurityPolicy admission plugin vulnerability allows users to make use of any PodSecurityPolicy object, even ones they are not authorized to use.
CVE: CVE-2017-1000056
Who is affected?
Only Kubernetes 1.5.0-1.5.4 installations that do all of the following:
--runtime-config=extensions/v1beta1/podsecuritypolicy=true
--admission-control=...,PodSecurityPolicy,...
kubeadm and GKE do not allow enabling PodSecurityPolicy in 1.5, so are not affected by this vulnerability.
kube-up.sh and kops do not enable PodSecurityPolicy by default, so are not affected by this vulnerability. A modified kube-up.sh or kops deployment could have enabled it.
What is the impact?
A user that is authorized to create pods can make use of any existing PodSecurityPolicy, even ones they are not authorized to use.
How can I mitigate this prior to installing 1.5.5?
Export existing PodSecurityPolicy objects:
kubectl get podsecuritypolicies -o yaml > psp.yaml
Review and delete any PodSecurityPolicy objects you do not want all pod-creating users to be able to use (NOTE: Privileged users that were making use of those policies will also lose access to those policies). For example:
kubectl delete podsecuritypolicies/my-privileged-policy
After upgrading to 1.5.5, re-create the exported PodSecurityPolicy objects:
kubectl create -f psp.yaml
The text was updated successfully, but these errors were encountered: