unknown

A security researcher discovered an authorization bypass in Kubernetes RBAC where the commonly granted `nodes/proxy GET` permission unexpectedly allows remote code execution in any Pod across a cluster. The vulnerability stems from the Kubelet making authorization decisions based on the initial WebSocket handshake's HTTP GET request rather than verifying CREATE permissions for command execution operations. When accessed via WebSocket connections, the `/exec` endpoint bypasses proper authorization checks, allowing write operations with read-only permissions. The Kubernetes Security Team closed the report as "working as intended," recommending KEP-2862 (fine-grained Kubelet authorization) as the architectural solution, though this doesn't fix the underlying bug. The issue affects 69 identified Helm charts including major monitoring tools like Prometheus, Grafana, Datadog, and Elastic Agent. Commands executed through direct Kubelet API connections are not logged by Kubernetes AuditPolicy, making detection difficult.

Kubernetes Remote Code Execution Via Nodes

A visionary tech squad that brings ideas to life from zero to 100, pioneering in DevOps and developer-centric architectures with technical excellence!

📬 Join our mailing list! → theinfinity.dev