The weave app should add access restrictions when a user accesses the weave app dashboard UI.
What happened?
Weave app is a dashboard UI that helps to manage the Kubernetes cluster, however, there are no access restrictions when accessing the weave app dashboard by default. Thus, without a proper weave-scope network policy, a malicious container can access the weave app dashboard inside a Kubernetes cluster, and delete any workloads in the whole cluster.
How to reproduce it?
Install the weave app following the official guide:
Install any web browser inside a malicious pod, and access the weave app dashboard.
A malicious pod can access the weave app dashboard UI by default, and it can leverage the dashboard UI to delete any workloads inside the whole cluster.
Anything else we need to know?
Kubernetes v1.24.2, installed by kubeadm. A three-node cluster, each node with Ubuntu 20.04 TLS.
Versions:
$ scope version
$ docker version
$ uname -a
$ kubectl version
What you expected to happen?
The weave app should add access restrictions when a user accesses the weave app dashboard UI.
What happened?
Weave app is a dashboard UI that helps to manage the Kubernetes cluster, however, there are no access restrictions when accessing the weave app dashboard by default. Thus, without a proper weave-scope network policy, a malicious container can access the weave app dashboard inside a Kubernetes cluster, and delete any workloads in the whole cluster.
How to reproduce it?
kubectl apply -f https://github.com/weaveworks/scope/releases/download/v1.13.2/k8s-scope.yaml
Anything else we need to know?
Kubernetes v1.24.2, installed by kubeadm. A three-node cluster, each node with Ubuntu 20.04 TLS.
Versions:
Logs:
or, if using Kubernetes: