A breaking vulnerability, identified as CVE-2023-5408, has been discovered in the node restriction admission plugin of the Kubernetes API server for OpenShift. This flaw can be exploited by a remote attacker to escalate privileges and gain broader cluster access by modifying the node role label and steering workloads from control plane and etcd nodes onto different worker nodes.

Understanding the Vulnerability

The role of the node restriction admission plugin in the Kubernetes API server is to limit the manipulation of Kubernetes objects by a node to ensure only the kubelet on that node can read or modify them. However, the vulnerability involves a flaw in this plugin that enables a remote attacker to modify node role labels to trigger workload migration to different worker nodes in an OpenShift cluster. Such manipulation results in the attacker gaining access to valuable resources and sensitive information within the cluster.

Exploiting the Vulnerability

To exploit the vulnerability, an attacker impersonates the kubelet by gathering the kubelet's credentials and gaining access to the cluster. Then, they can change the node role label, which leads to unintended migration of workloads from one node to another. The process for exploiting the vulnerability can be done through the following steps:

Code snippet

# Connecting to the Kubernetes API server
KUBECONFIG=/path/to/kubeconfig kubectl cluster-info

# Getting kubelet credentials
KUBECONFIG=/path/to/kubeconfig kubectl get secret <kubelet-secret> -o jsonpath='{.data.token}' | base64 --decode

# Modifying the node role label
KUBECONFIG=/path/to/kubeconfig kubectl label nodes <node-name> kubernetes.io/role=<new-role>

Note: This code snippet is for demonstration purposes only and should not be used maliciously.

Original References

To understand the exploit and take relevant preventive measures, refer to these original sources for more information:

- Kubernetes Official Documentation: Node Restriction
- OpenShift API Server: GitHub Repository
- Detailed Vulnerability Explanation: CVE-2023-5408 detailed description

Ensure you have the latest OpenShift version installed that contains the security patch.

2. Update the --max-mutating-requests-inflight and --max-requests-inflight flags in the Kubernetes API server configuration.
3. Restrict access to the Kubernetes API server, specifically kubelet credentials, to prevent unauthorized access.


Prevention is better than cure – make sure you apply the CVE-2023-5408 patch to your OpenShift installation as soon as possible to avoid falling prey to privilege escalation attacks. Keep a close watch on the official Kubernetes and OpenShift channels for timely updates on security issues. Stay safe out there!


Published on: 11/02/2023 03:15:10 UTC
Last modified on: 01/21/2024 01:48:09 UTC