Описание
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers.
A flaw was found in Kubernetes, where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers.
Меры по смягчению последствий
This issue can be mitigated by applying the patch provided for the kube-apiserver component. The patch prevents ephemeral containers from bypassing the mountable secrets policy enforced by the ServiceAccount admission plugin.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-tests | Not affected | ||
| Red Hat OpenShift Container Platform 4.14 | buildah | Fixed | RHSA-2023:5009 | 31.10.2023 |
| Red Hat OpenShift Container Platform 4.14 | butane | Fixed | RHSA-2023:5009 | 31.10.2023 |
| Red Hat OpenShift Container Platform 4.14 | catch | Fixed | RHSA-2023:5009 | 31.10.2023 |
| Red Hat OpenShift Container Platform 4.14 | conmon | Fixed | RHSA-2023:5009 | 31.10.2023 |
| Red Hat OpenShift Container Platform 4.14 | containernetworking-plugins | Fixed | RHSA-2023:5009 | 31.10.2023 |
| Red Hat OpenShift Container Platform 4.14 | containers-common | Fixed | RHSA-2023:5009 | 31.10.2023 |
| Red Hat OpenShift Container Platform 4.14 | container-selinux | Fixed | RHSA-2023:5009 | 31.10.2023 |
| Red Hat OpenShift Container Platform 4.14 | coreos-installer | Fixed | RHSA-2023:5009 | 31.10.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
Users may be able to launch containers that bypass the mountable secre ...
EPSS
6.5 Medium
CVSS3