Description
Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. As a workaround, one may restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs.
Problem types
CWE-266: Incorrect Privilege Assignment
Product status
References
github.com/...armada/security/advisories/GHSA-mg7w-c9x2-xh7r
github.com/karmada-io/karmada/pull/5793
github.com/...ommit/2c82055c4c7f469411b1ba48c4dba4841df04831
karmada.io/docs/administrator/security/component-permission