This is a security vulnerability of the
kube-apiserver component. An attacker can intercept certain upgrade requests sent to the node
kubelet, and forward the request to other target nodes through the original access credentials in the request that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
kube-apiserver allows the request to be propagated back to the source client in the proxied upgrade request, the attacker can intercept certain upgrade requests sent to the node
kubelet, and then use the original access credentials in the request to forward requests to other target nodes, resulting in a privilege escalation vulnerability on the attacked node.
This vulnerability is rated as medium-risk with a
CVSS score of 6.4. If multiple clusters share the same
CA and authentication credentials, an attacker can use this vulnerability to attack other clusters. In this case, it is a high-risk vulnerability.
For cross-node attacks in the cluster, it is recommended that you take the following preventative measures:
- Timely revoke
kubeconfigcredentials that may cause leakage potentially, and follow the least principle of minimum permissions to converge unnecessary
proxyresource models with the
Fixed by official
Fixed by KLTS
- v1.15.12-lts.1 kubernetes/kubernetes#92971
- v1.14.10-lts.1 kubernetes/kubernetes#92971
- v1.13.12-lts.1 TODO
- v1.12.10-lts.1 TODO
- v1.11.10-lts.1 TODO
- v1.10.13-lts.1 TODO
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.