Описание
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
A flaw was found in the Kubernetes NodeRestriction admission controller when the DynamicResourceAllocation feature is enabled. While this controller properly validates resource claims during pod status updates, it fails to apply the same validation during pod creation. This oversight allows a compromised node to create mirror pods that can access unauthorized dynamic resources, potentially leading to unauthorized data access and privilege escalation. Although kubelet sanity checks usually prevent such pods from running, the lack of authorization enforcement at creation time poses a real security policy failure.
Отчет
Red Hat Product Security has assessed the severity of this vulnerability as Low due to its limited preconditions and mitigated runtime impact. While successful exploitation requires a compromised node, the vulnerability enables that node to bypass API authorization checks and gain access to unauthorized dynamic resources. This represents a serious policy enforcement gap. Although kubelet checks often prevent affected pods from running, the underlying flaw allows violation of Kubernetes’ access control boundaries.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 4 | openshift | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-hyperkube | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-hyperkube-rhel9 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-kube-proxy | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-kube-proxy-rhel9 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | ose-installer-kube-apiserver-artifacts-container | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
2.7 Low
CVSS3
Связанные уязвимости
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
A vulnerability exists in the NodeRestriction admission controller whe ...
kubernetes allows nodes to bypass dynamic resource allocation authorization checks
EPSS
2.7 Low
CVSS3