Skip to content

Leverage the kruise-daemon pod to list all secrets in the entire cluster

Moderate
zmberg published GHSA-437m-7hj5-9mpw Jan 3, 2024

Package

gomod openkruise/charts/charts/kruise/templates/rbac_role.yaml (Go)

Affected versions

> 0.8.0

Patched versions

1.3.1, 1.4.1, 1.5.2

Description

Impact

Attacker that has gain root privilege of the node that kruise-daemon run , can leverage the kruise-daemon pod to list all secrets in the entire cluster. After that, attackers can leverage the "captured" secrets (e.g. the kruise-manager service account token) to gain extra privilege such as pod modification.

Workarounds

For users that do not require imagepulljob functions, they can modify kruise-daemon-role to drop the cluster level secret get/list privilege

Patches

For users who're using v0.8.x ~ v1.2.x, please update the v1.3.1
For users who're using v1.3, please update the v1.3.1
For users who're using v1.4, please update the v1.4.1
For users who're using v1.5, please update the v1.5.2

References

None

Severity

Moderate

CVE ID

CVE-2023-30617

Weaknesses