Privilege escalation through Kubernetes dashboard


67 points | by knoxa2511 9 days ago


  • pm90 9 days ago

    Its been known for quite sometime to not expose the dashboard. GKE explicitly disables it by default. TESLA's in-house cluster was pwned because their dashboard was publicly accessible etc.

    • erikb 9 days ago

      It's also not the first dashboard with this situation.

      phpMyAdmin or what it's called, back in the days of LAMP stacks that was deployed almost everywhere without much security around. Not sure if it also had sql injection bugs etc, but just the low amount of security considerations most people gave this direct access to the database was probably enough to hack into most servers of that time.

      • eicnix 9 days ago

        GKE provides it's own dashboard integrated into the GCP console so there is no need for the standard Kubernetes dashboard.

        • andrewstuart2 9 days ago

          Either don't expose the dashboard, or explicitly give it a service account with zero access. I think it should be well-known by now that anything you run in-cluster gets a builtin service account token, defaulting to the default service account for that namespace.

          • sieabahlpark 9 days ago

            You'd be surprised a lot of things are overlooked with the premise of shipping faster.

            Don't worry about security, we need to ship.

            • GauntletWizard 9 days ago

              I ran my k8s dashboard behind a ClusterIP service - You could get to it through the kube-proxy, but you already had to be auth'd to the cluster, first. This was fine for a cluster small enough that any user already had admin, though we did worry a little bit that someone would compromise a pod, scan for a bit, and escalate through the dashboard.

          • zaroth 8 days ago

            Hard to call this “privilege escalation” if I’m reading this correctly?

            It’s like a firewall default policy of ALLOW and complaining that packets are getting through.

            There was a literal “Skip” button on the login page and the default account was granted permission to read certificate private keys. Did I get that right?

            • omeid2 9 days ago

              I am not surprised, in the general sense that someone has found a security bug in a large and complex piece of software. This is basically another good example of why your control plane should be only accessible through a vpn/bastion.