search

weaveworks / scope

Monitoring, visualisation & management for Docker & Kubernetes
https://www.weave.works/oss/scope/
Apache License 2.0
5.83k stars 708 forks source link

There is no access restrictions when accessing weave-app by default #3913

Closed younaman closed 1 year ago

younaman commented 1 year ago

What you expected to happen?

The weave app should add access restrictions when a user accesses the weave app dashboard UI.

What happened?

Weave app is a dashboard UI that helps to manage the Kubernetes cluster, however, there are no access restrictions when accessing the weave app dashboard by default. Thus, without a proper weave-scope network policy, a malicious container can access the weave app dashboard inside a Kubernetes cluster, and delete any workloads in the whole cluster.

How to reproduce it?

  1. Install the weave app following the official guide:

kubectl apply -f https://github.com/weaveworks/scope/releases/download/v1.13.2/k8s-scope.yaml

  1. Install any web browser inside a malicious pod, and access the weave app dashboard.
  2. A malicious pod can access the weave app dashboard UI by default, and it can leverage the dashboard UI to delete any workloads inside the whole cluster.

    Anything else we need to know?

    Kubernetes v1.24.2, installed by kubeadm. A three-node cluster, each node with Ubuntu 20.04 TLS.

    Versions:

    $ scope version
$ docker version
$ uname -a
$ kubectl version

Logs:

$ docker logs weavescope

or, if using Kubernetes:

$ kubectl logs <weave-scope-pod> -n <namespace>
younaman commented 1 year ago

Hello? Are there any updates or comments? Looking forward to your reply!