Recent cybersecurity research has revealed several significant vulnerabilities affecting Kubernetes services across multiple platforms:
- Microsoft Azure Kubernetes Services (AKS): A flaw was found that could allow attackers with command execution in a pod to access sensitive cluster credentials. By exploiting Azure CNI and Azure Network Policy configurations, attackers could perform a TLS bootstrap attack to access all secrets in the cluster. Microsoft has addressed this issue.
- Ingress-nginx Controller: A high-severity vulnerability (CVE-2024-7646) affects the ingress-nginx controller, allowing attackers to bypass validation checks on annotations, potentially leading to command injection and unauthorized access to cluster secrets.
- Kubernetes git-sync Project: A design flaw allows for command injection and data exfiltration across major Kubernetes services (EKS, AKS, GKE, Linode). This vulnerability stems from inadequate input sanitization, making it crucial for organizations to audit git-sync pods and monitor unusual behaviors.
Overall, these vulnerabilities underscore the importance of robust security practices and regular audits to protect against potential attacks.
