A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.
Am I vulnerable?
The ServiceAccount admission plugin is used. Most cluster should have this on by default as recommended in https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount
The kubernetes.io/enforce-mountable-secrets annotation is used by a service account. This annotation is not added by default. Pods using containers, init containers, and ephemeral containers with the envFrom field populated.
CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N - Low (2.7)
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.
Am I vulnerable? The ServiceAccount admission plugin is used. Most cluster should have this on by default as recommended in https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount The kubernetes.io/enforce-mountable-secrets annotation is used by a service account. This annotation is not added by default. Pods using containers, init containers, and ephemeral containers with the envFrom field populated.
Affected Versions kube-apiserver v1.29.0 - v1.29.3 kube-apiserver v1.28.0 - v1.28.8 kube-apiserver <= v1.27.12
AKS Information: This CVE is being fixed with AKS v20240411 release by AKS team. No action needed from AKS customers side.
More info about this CVE