CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N - Low (2.7)

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.

Am I vulnerable?

The ServiceAccount admission plugin is used. Most cluster should have this on by default as recommended in https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount
The kubernetes.io/enforce-mountable-secrets annotation is used by a service account. This annotation is not added by default. Pods using containers, init containers, and ephemeral containers with the envFrom field populated.

Affected Versions

kube-apiserver v1.29.0 - v1.29.3
kube-apiserver v1.28.0 - v1.28.8
kube-apiserver <= v1.27.12

How do I mitigate this vulnerability?

This issue can be mitigated by applying the patch provided for the kube-apiserver component. The patch prevents containers, init containers, and ephemeral containers with the envFrom field populated from bypassing the mountable secrets policy enforced by the ServiceAccount admission plugin.

Outside of applying the provided patch, there are no known mitigations to this vulnerability.

Fixed Versions

• kube-apiserver master - fixed by Add envFrom to serviceaccount admission plugin #124322
• kube-apiserver v1.29.4 - fixed by Automated cherry pick of #124322: Add envFrom to serviceaccount admission plugin #124325
• kube-apiserver v1.28.9 - fixed by Automated cherry pick of #124322: Add envFrom to serviceaccount admission plugin #124326
• kube-apiserver v1.27.13 - fixed by Automated cherry pick of #124322: Add envFrom to serviceaccount admission plugin #124327

To upgrade, refer to the documentation:
https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/

Detection

Pod update requests using a container, init container, or ephemeral container with the envFrom field populated that exploits this vulnerability with unintended secret will be captured in API audit logs. You can also use the following kubectl command to find active pods using the kubernetes.io/enforce-mountable-secrets annotation.

kubectl get serviceaccounts --all-namespaces -o jsonpath="{range .items[?(@.metadata.annotations['kubernetes\.io/enforce-mountable-secrets']=='true')]}{.metadata.namespace}{'\t'}{.metadata.name}{'\n'}{end}"

If you find evidence that this vulnerability has been exploited, please contact [email protected]

Acknowledgements

This vulnerability was reported by tha3e1vl.

The issue was fixed and coordinated by the fix team:

Rita Zhang @ritazh
Joel Smith @joelsmith
Mo Khan @enj

and release managers:
Sascha Grunert @saschagrunert
Jeremy Rickard @jeremyrickard

/triage accepted
/lifecycle frozen
/area security
/kind bug
/committee security-response