Introduction

Recently, Akamai’s Tomer Peled announced a security threat to Kubernetes clusters, CVE-2023-5528. A user who can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. With a CVSS score of 7.2, this vulnerability presents a critical risk of full cluster compromise on default Kubernetes clusters before version 1.28.4. 

Assessing Vulnerability Exposure

Organizations employing Kubernetes versions before 1.28.4, particularly those incorporating Windows nodes, are advised to prioritize updates to mitigate this vulnerability. A simple verification method using kubectl can swiftly reveal the presence of susceptible Windows nodes within the cluster, highlighting immediate risk factors.

kubectl get nodes -o wide --show-labels | grep "os=windows"

Mitigation Strategies

While patching to version 1.28.4 or later remains the primary mitigation approach, immediate application is only sometimes feasible. In light of this, implementing a Kyverno rule is a vital interim defense mechanism, albeit not a substitute for eventual system updates.

The Role of Kyverno in Vulnerability Mitigation

Kyverno, a Kubernetes-native policy engine, offers a streamlined and effective solution to preempt potential exploits of CVE-2023-5528. By validating, mutating, and generating configurations based on predefined conditions, Kyverno’s admission control webhook can enforce policies to block the execution of Persistent Volumes containing malicious paths.

Implementing Kyverno Policies

Deploying Kyverno within the cluster is the initial step toward securing your Kubernetes environment against CVE-2023-5528. Following deployment, applying a Kyverno policy effectively prevents using “&” in Persistent Volumes local paths, thereby thwarting potential attacks.

Sample Kyverno Policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-persistentvolume
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: check-persistentvolume
      match:
        any:
        - resources:
            kinds:
              - PersistentVolume
      preconditions:
        all:
        - key: "{{ request.object.spec.local.path || '' | length(@) }}"
          operator: GreaterThan
          value: 0            
      validate:
        cel:
          expressions:
            - expression: "!object.spec.local.path.contains('&')"
              message: "PV's cannot use local path which contains &"

This policy serves not only as a direct countermeasure to CVE-2023-5528 but also exemplifies the broader capabilities of Kyverno in enhancing Kubernetes cluster security through policy enforcement.