-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escape from notebook to node&user=root possible #700
Comments
This is just crazy misconfiguration. Is your cluster missing pod security standards restricted for all namespaces? |
@iptizer as @juliusvonkohout mentioned the above happens because right now there is not component (i.e. kyverno, pod security standards) for restricting privileges across all namespaces. We are actively looking on natively supporting this in the Charmed Kubeflow and ensure they are working as expected with the rest of the Juju echosystem. |
@iptizer Here you can track the progress kubeflow/manifests#2528 and here is the official proposal kubeflow/manifests#2527 |
I'm seeing progress in related issues. Can this be closed or completed soon? |
Thank you for reporting us your feedback! The internal ticket has been created: https://warthogs.atlassian.net/browse/KF-6085.
|
in kubbeflow/manifests/contrib/security/PSS you can see our WIP PodSecurity Standards https://github.com/kubeflow/manifests/blob/1c464be6f5e13fbd4ed51406f74919e61619a018/example/kustomization.yaml#L94 |
Bug Description
During using the Canonical Kubeflow distribution we discovered a major security incident.
It is possible to escape to the worker node with just one command. With this command root privilegues on the worker node are gained and may be used to hook into other users pods or access data of other users.
To Reproduce
root
on node is granted.Environment
Should not matter, but as follows:
Relevant Log Output
Additional Context
No response
The text was updated successfully, but these errors were encountered: