Gardener Security Announcement - CVE-2018-1002105 - relevance for Gardener community installations

45 views
Skip to first unread message

Thormaehlen, Frederik

unread,
Dec 11, 2018, 3:59:28 AM12/11/18
to gard...@googlegroups.com
With the Gardener Setup Scripts [1], you create a Garden cluster based on Kubernetes v1.9. You don't find a patch for v1.9 to mitigate CVE-2018-1002105 [2]. The Gardener Security Team has analyzed CVE-2018-1002105 with respect to these Garden clusters and wants to share the results.
 
In the Kubernetes issue #71411 [3] it is stated with respect to CVE-2018-1002105: "Mitigation for the authorized pod exec/attach/portforward -> kubelet API escalation: Remove pod exec/attach/portforward permissions from users that should not have full access to the kubelet API"
 
Upon setup of a Garden cluster created with the Gardener Setup Scripts, a kubeconfig is generated with full cluster admin privileges and put into the gen/assets/auth directory. It is recommended to protect this kubeconfig with means appropriate for your environment. This kubeconfig is purely meant for administrative purposes and not for end users' daily work. For daily work, additional kubeconfig files can be generated through the Gardener Dashboard with the following functionality in the “Members” section: "Add service accounts to your project. Adding service accounts to your project allows you to automate processes in your project. Service accounts have full access to all resources within your project." Those service account configurations are restricted via RBAC and do have only permissions that allow to modify Gardener resources like shoot cluster resources. With these kubeconfigs one cannot list pods. This implicitly forbids "exec/attach/portforward". When following the recommendations above, your running Garden clusters which have been created with the Gardener Setup Scripts, we consider not to be vulnerable at least with respect to CVE-2018-1002105.
 
Frederik Thormaehlen (on behalf of the Gardener Security Team)
 
PS: If you find a security vulnerability in Gardener, please report it following the Gardener security disclosure process [4] which is appropriate for your finding.
 
 
 
Reply all
Reply to author
Forward
0 new messages