QID 980122

QID 980122: Go (go) Security Update for github.com/fluxcd/kustomize-controller (GHSA-35rf-v2jv-gfg7)

Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run `kubectl` commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges.

Multitenant environments where non-admin users have permissions to create Flux Kustomization objects are affected by this issue.

  • CVSS V3 rated as Critical - 8.8 severity.
  • CVSS V2 rated as Critical - 9 severity.
    • Solution
    This vulnerability was fixed in kustomize-controller v0.15.0 (included in flux2 v0.18.0) released on 2021-10-08. Starting with v0.15, the kustomize-controller no longer executes shell commands on the container OS and the `kubectl` binary has been removed from the container image.Workaround:
    To prevent the creation of Kubernetes Service Accounts with `secrets` in namespaces owned by tenants, a Kubernetes validation webhook such as Gatekeeper OPA or Kyverno can be used.

    ```yaml
    apiVersion: kyverno.io/v1
    kind: ClusterPolicy
    metadata:
    name: restrict-sa
    spec:
    validationFailureAction: enforce
    background: false
    rules:
    - name: validate-sa
    match:
    resources:
    kinds:
    - ServiceAccount
    namespaces:
    - tenant1
    - tenant2
    subjects:
    - kind: User
    name: [email protected]
    - kind: User
    name: [email protected]
    - kind: ServiceAccount
    name: kustomize-controller
    namespace: flux-system
    - kind: ServiceAccount
    name: helm-controller
    namespace: flux-system
    validate:
    message: "Invalid service account"
    pattern:
    X(secrets): "*?"
    ```
    Vendor References

    CVEs related to QID 980122

    CVE-2021-41254 |
    Software Advisories
    Advisory ID Software Component Link
    GHSA-35rf-v2jv-gfg7 github.com/fluxcd/kustomize-controller URL Logo github.com/advisories/GHSA-35rf-v2jv-gfg7
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].