Skip to content
This repository has been archived by the owner on Oct 17, 2024. It is now read-only.

A potential risk of operator makes a worker node get the token of any Service Account #361

Closed
sparkEchooo opened this issue Nov 16, 2023 · 10 comments · Fixed by open-cluster-management-io/ocm#325

Comments

@sparkEchooo
Copy link

The Deployment named "cluster-manager" uses a ServiceAccount with the same name ("cluster-manager"). This ServiceAccount is bound to a ClusterRole also named "cluster-manager," which includes the permission to create Pod resources.

Therefore, if this Deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any sa's token by creating and mounting target sa. And even control the whole cluster.

@sparkEchooo
Copy link
Author

Klusterlet has the same problem, even more serious.
(getSecrets、createSecrets)

@qiujian16
Copy link
Member

thanks for the reporting. the code has been moved to https://github.com/open-cluster-management-io/ocm

@sparkEchooo
Copy link
Author

sparkEchooo commented Nov 30, 2023

Thanks for your reply!
The fixes is effective.
By the way, if it's a real issue and has been fixed, can I get a CVE-number:)
Looking forward to your reply!

@qiujian16
Copy link
Member

cc @mikeshng

@dhaiducek
Copy link
Member

cc @pshickeydev

@sparkEchooo
Copy link
Author

Knock knock! Are there any updates?Looking forward to your reply! @pshickeydev @mikeshng

@pshickeydev
Copy link

Hi @sparkEchooo, thanks for bringing this to our attention! We're taking a look at this and will let you know what our assessment is. Once again, thank you for your report and I hope to get back to you soon!

@sparkEchooo
Copy link
Author

@sparkEchooo
Copy link
Author

sparkEchooo commented Dec 22, 2023

Hi@pshickeydev
I apologize for any inconvenience. How is the progress coming along? Looking forward to your reply!

@sparkEchooo
Copy link
Author

Hi there, how's the progress going.
Could I know the result.
:)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants