Описание
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
A flaw was found in Kubernetes, where users may be able to launch containers using images restricted by the ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
Меры по смягчению последствий
This issue can be mitigated by applying the patch provided for the kube-apiserver component. This patch prevents ephemeral containers from using an image that is restricted by ImagePolicyWebhook. Note: Validation webhooks, (such as Gatekeeper https://open-policy-agent.github.io/gatekeeper-library/website/validation/allowedrepos and Kyverno https://kyverno.io/policies/other/allowed-image-repos/allowed-image-repos/) can also be used to enforce the same restrictions.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-tests | Not affected | ||
| Red Hat OpenShift Container Platform 4.14 | buildah | Fixed | RHSA-2023:5009 | 31.10.2023 |
| Red Hat OpenShift Container Platform 4.14 | butane | Fixed | RHSA-2023:5009 | 31.10.2023 |
| Red Hat OpenShift Container Platform 4.14 | catch | Fixed | RHSA-2023:5009 | 31.10.2023 |
| Red Hat OpenShift Container Platform 4.14 | conmon | Fixed | RHSA-2023:5009 | 31.10.2023 |
| Red Hat OpenShift Container Platform 4.14 | containernetworking-plugins | Fixed | RHSA-2023:5009 | 31.10.2023 |
| Red Hat OpenShift Container Platform 4.14 | containers-common | Fixed | RHSA-2023:5009 | 31.10.2023 |
| Red Hat OpenShift Container Platform 4.14 | container-selinux | Fixed | RHSA-2023:5009 | 31.10.2023 |
| Red Hat OpenShift Container Platform 4.14 | coreos-installer | Fixed | RHSA-2023:5009 | 31.10.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
Users may be able to launch containers using images that are restricte ...
Уязвимость программного средства управления кластерами виртуальных машин Kubernetes, связанная с возможностью обхода политик модуля допуска ImagePolicyWebhook, позволяющая нарушителю обойти существующие ограничения безопасности при запуске контейнеров
EPSS
6.5 Medium
CVSS3