Critical Kubernetes Bug Gives Anyone Full Admin Privileges
https://duo.com/decipher/critical-kubernetes-bug-gives-anyone-full-admin-privileges [duo.com]
2018-12-05 21:12
An authenticated user can also send specially crafted network requests to the Kubernetes application programming interface (API) server and create a connection to the backend server. The API server’s job is to determine if the requests are valid, and to instruct other components to carry out the instructions for valid requests. With the flaw, the API server is tricked into connecting to the backend server as itself and not as the user, and with the highest level of permissions. Once the connection is established, the user can send arbitrary requests—authenticated with the API server’s Transport Layer Security (TLS) credentials—directly to the backend server. The user can run any API request against the kubelet API of the node where a targeted pod is running, such as listing all pods on the node, running commands inside pods, and getting the output of those commands.
The authorization is coming from inside the house!
Also, from the discoverer: https://rancher.com/blog/2018/2018-12-04-k8s-cve/