Kubernetes社区公布了安全漏洞CVE-2021-25740,该漏洞可使攻击者利用混淆代理的方式访问到他们原本无法访问的集群服务。本文介绍该漏洞的影响和影响范围,以及检测方法和防范措施。

CVE-2021-25740漏洞被评估为低危漏洞,在CVSS的评分为3.0

影响范围

当前所有Kubernetes集群版本均受该漏洞影响。关于该漏洞的详细信息,请参见#103675

漏洞影响

如果攻击者拥有编辑或者创建Endpoints或者EndpointSlices的权限,可以通过Kubernetes API修改Endpoints指向的地址,则攻击者可能会利用LoadBalancer或Ingress来访问本不应访问的服务后端IP地址。另外如果目标NetworkPolicy已经信任LoadBalancer或Ingress,则NetworkPolicy不能用于阻止跨命名空间服务的暴露。

检测方法

当Services对象没有指定Selector且依赖自定义Endpoints时,容易受到该漏洞的攻击,建议您执行以下命令,手动筛查集群中所有Service和Selector。

kubectl get svc --all-namespaces -o=custom-columns='NAME:metadata.name,NAMESPACE:metadata.namespace,SELECTOR:spec.selector'
说明default/kubernetes Service没有指定Selector但拥有自己的Endpoints时,该Endpoints被API Server管理,属正常现象。

防范措施

该漏洞暂时没有修复版本,只能通过限制易受攻击的功能来进行缓解。为了降低风险,建议您执行以下命令更新system:aggregate-to-edit角色来限制对Endpoints和EndpointSlices的写访问权限,从adminedit角色中删除对Endpoints的写访问权限。

# Allow kubectl auth reconcile to work
kubectl annotate --overwrite clusterrole/system:aggregate-to-edit rbac.authorization.kubernetes.io/autoupdate=true

# Test reconcile, then run for real if happy
kubectl auth reconcile --remove-extra-permissions -f aggregate_to_edit_no_endpoints.yaml.txt --dry-run
kubectl auth reconcile --remove-extra-permissions -f aggregate_to_edit_no_endpoints.yaml.txt

# Prevent autoreconciliation back to old state
kubectl annotate --overwrite clusterrole/system:aggregate-to-edit rbac.authorization.kubernetes.io/autoupdate=false

上述命令中涉及的aggregate_to_edit_no_endpoints.yaml.txt样例如下:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - secrets
  - serviceaccounts
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - networkpolicies
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update

通过上述操作,您可以阻止新版本的Kubernetes修改system:aggregate-to-edit角色的默认权限。从Kubernetes v1.14.0之后就没有新的默认权限被添加到这个角色。但是只要Kubernetes后期修复了此漏洞,建议您主动去除autoupdate=false这个注解。

对于因为业务需要,确实需要拥有编辑Endpoints和EndpointSlices权限的用户,建议您新创建一个角色,赋予其想要的权限,专门用于该业务。

类似的攻击也可能发生在使用Ingress,并支持转发ExternalName Services流量的场景中。在该场景下,攻击者同样可跨Namespace转发流量,访问到敏感Endpoint的内容。如果您正在使用Ingress API,建议您确认所用Ingress是否支持ExternalName Services的流量转发,如果不支持该功能则不受影响。如果支持ExternalName Services的流量转发,则需要暂时禁用该功能。