-
Notifications
You must be signed in to change notification settings - Fork 525
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: A security issue regarding Nuclio #3178
Comments
Hi @sparkEchooo , You may use latest helm chart with |
Hi there, Thanks for your reply! Is the issue with nuclio on the GCP marketplace due to an outdated version? |
Is it a real issue in Nuclio? |
I think it does. Perhaps it takes default helm chart |
Hi @liranbg, thank you for your reply! May I ask whether you plan to update nuclio on GCP Marketplace by submitting a new version. If so, Can you give us a moderate CVE or public thanks for awarding our efforts? Reporter List
|
Hi there, |
Looks like @ganochenkodg maintains the Nuclio chart on GCP - https://github.com/GoogleCloudPlatform/click-to-deploy/tree/master/k8s/nuclio/chart/nuclio @ganochenkodg if possible, please update the chart to allow configuring role and rolebinding instead of clusterrole and clusterrolebinding, according the the |
@armandomiani i'm summoning you! are you still working on gcp marketplace? |
Nuclio Version checks
I have checked that this issue has not already been reported.
I have confirmed this bug exists on the latest version of Nuclio.
Issue Description
Summary
The Nuclio in GKE gave excessive authority when defining Service Account named "nuclio-nuclio-serviceaccountname-3bda". Besides, this Service Account is mounted in a deployment named "nuclio-dashboard", witch makes it possible for attackers to raise rights to administrators.
Detailed Analysis
Attacking Strategy
If a malicious user controls a specific worker node which has the deployment mentioned above , or steals the Service Account token mentioned above. He/She can raise permissions to administrator level and control the whole cluster.
Mitigation Discussion
A few questions
If it's a real issue, does Nuclio plan to fix this issue?
Expected Behavior
Permission escalation
Deployment Method
Kubernetes
Nuclio Version
GKE marketplace
Additional Information
No response
The text was updated successfully, but these errors were encountered: