Improper k8s permission configuration

Question

Improper k8s permission configuration

sparkEchooo opened this issue 4 months ago · comments

Summary

The ack-kruise-game in ACK gave excessive authority when defining Service Account named "kruise-game-controller-manager". Besides, this Service Account is mounted in a pod named "kruise-game-controller-manager-675bb6974d-4m6d7", witch makes it possible for attackers to raise rights to administrators.

Detailed Analysis

The clusterrole named "kruise-game-manager-role" defines the "create" verb of "pods, statefulsets, mutatingwebhookconfiguration". And this clusterrole is bound to the Service Account named "kruise-game-controller-manager".

# Attacking Strategy
If a malicious user controls a specific worker node which has the Pod mentioned above , or steals the Service Account token mentioned above. He/She can raise permissions to administrator level and control the whole cluster.
For example,

With the "create" verb of "pods, statefulsets", attacker can elevate privileges by creating a pod to mount and steal any Service Account he/she want.
With the "update" verb of "mutatingconfiguration, validatingconfiguration", attacker can elevate privileges by updating MutatingWebhookConfigurations to listen and modify any resource and event in the cluster.

Mitigation Discussion

Developer could use the rolebinding instead of the clusterrolebinding to restrict permissions to namespace.
Developer could delete the "create" verb of "pods, statefulsets, mutatingwebhookconfiguration" in clusterrole mentioned above.

# A few questions

Is it a real issue in ack-kruise-game?
If it's a real issue, can ack-kruise-game mitigate the risks following my suggestions discussed in the "mitigation discussion"?
If it's a real issue, does ack-kruise-game plan to fix this issue?

ChrisLiu · Answer 1 · Tue Mar 19 2024 19:56:27 GMT+0800 (China Standard Time)

Actually, kruise-game & kruise controller manager indeed need create verb, whose permissions are already restrict. If you use multi-tenant Kubernetes clusters, it is necessary to consider cluster security. I recommend avoiding user YAML being deployed directly in the cluster. It is a better way that checking if those YAMLs use service accounts with high permissions before deployment.

ChrisLiu · Answer 2 · Tue Mar 19 2024 20:00:01 GMT+0800 (China Standard Time)

By the way, you can join the DingDing Group 44862615, to communicate with ours (including OKG maintainers, and Game Developers)

Xavier L · Answer 3 · Tue Mar 19 2024 20:04:00 GMT+0800 (China Standard Time)

Hi @chrisliu1995 ,
Thank you for your reply!

Did Kruise need to create pods in another namespace? If not, maybe we could use rolebinding to further restrict this permission.

Thanks again.

ChrisLiu · Answer 4 · Tue Mar 19 2024 20:11:53 GMT+0800 (China Standard Time)

You know, kruise can not decide which namespace the user deploy applications in. If user deploy GameServerSet in x-namespace, kruise & kruise game controller manager have to create asts & pods in x-namespace. In fact, it is cluster-scope action.

Xavier L · Answer 5 · Tue Mar 19 2024 20:15:25 GMT+0800 (China Standard Time)

Well, Thank you for your patient explanation!

Xavier L · Answer 6 · Sat Apr 27 2024 10:05:37 GMT+0800 (China Standard Time)

I apologize for bothering you again, but I just wanted to confirm once more if kruise-game necessarily requires the update permission for the mutatingwebhookconfiguration resource. It seems that once the mutatingwebhookconfiguration resource is set up during the application installation, it typically does not need to be updated.
:)