Hi everyone,
I ran into the article Kubernetes Pod Escape Using Log Mounts [1]. From my point of view, OpenShift is NOT affected. Because: You can not create an HostPath "mount" without cluster-admin privileges or access to the SCC hostaccess or hostmount-anyuid. Imagine you are able to start a Pod with a hostpath to /var/log you are not able to create any symlink because of SELinux:
root@escaper:~/exploit# ls /var/log/host/
ls: cannot open directory '/var/log/host/': Permission denied
Even though the Pod runs with anyuid / root ;-)
cat <<EOF | oc create --as=system:admin -f -
apiVersion: v1
kind: PersistentVolume
metadata:
creationTimestamp: null
name: hostpath-var-log
spec:
accessModes:
- ReadWriteOnce
- ReadWriteMany
capacity:
storage: 100Mi
hostPath:
path: /var/log
persistentVolumeReclaimPolicy: Retain
EOF
cat <<EOF | oc create -f -
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: hostpath
spec:
accessModes: [ "ReadWriteMany" ]
resources:
requests:
storage: 100Mi
EOF
oc create sa anyuid
oc adm policy add-scc-to-user anyuid -z anyuid --as=system:admin
cat <<EOF | oc create -f -
apiVersion: v1
kind: Pod
metadata:
name: escaper
spec:
serviceAccount: anyuid
serviceAccountName: anyuid
containers:
- name: escaper
image: danielsagi/kube-pod-escape
volumeMounts:
- name: hostpath
mountPath: /var/log/host
volumes:
- name: hostpath
persistentVolumeClaim:
claimName: hostpath
restartPolicy: Never
EOF
$ oc rsh escaper bash
root@escaper:~/exploit# lsh /proc
[-] Cannot run exploit, no permissions to access /logs on the kubelet
root@escaper:~/exploit# ls /var/log/host/
ls: cannot open directory '/var/log/host/': Permission denied
root@escaper:~/exploit#
[1] https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts
Vielen Dank und Grüße // Best regards Robert Bohne
SR. SPECIALIST SOLUTION ARCHITECT | OPENSHIFT Red Hat GmbH robert.bohne@redhat.com M: +49-160-8452809 Twitter: @RobertBohne