Karmada PULL Mode Cluster Privilege Escalation

Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. As a workaround, one may restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs.

N/A

特权授予不正确

Karmada 安全漏洞

Karmada是Karmada开源的一个 Kubernete 管理系统。 Karmada 1.12.0之前版本存在安全漏洞，该漏洞源于允许用户跨多个Kubernetes集群和云运行云原生应用程序。

N/A

N/A