Open iptizer opened 10 months ago
This is just crazy misconfiguration. Is your cluster missing pod security standards restricted for all namespaces?
@iptizer as @juliusvonkohout mentioned the above happens because right now there is not component (i.e. kyverno, pod security standards) for restricting privileges across all namespaces.
We are actively looking on natively supporting this in the Charmed Kubeflow and ensure they are working as expected with the rest of the Juju echosystem.
@iptizer Here you can track the progress https://github.com/kubeflow/manifests/issues/2528 and here is the official proposal https://github.com/kubeflow/manifests/pull/2527
Bug Description
During using the Canonical Kubeflow distribution we discovered a major security incident.
It is possible to escape to the worker node with just one command. With this command root privilegues on the worker node are gained and may be used to hook into other users pods or access data of other users.
To Reproduce
root
on node is granted.Environment
Should not matter, but as follows:
Relevant Log Output
Additional Context
No response