Kubewarden Admission Policies Vulnerability Allows Manipulation of PolicyReport Resources

A vulnerability exists in the Kubewarden controller for Kubernetes, specifically in versions 1.7.0 and above, prior to 1.21.0. This issue arises from the ability of AdmissionPolicy and AdmissionPolicyGroup to evaluate namespaced resources, including sensitive ones like PolicyReport, which tracks non-compliant objects within a namespace. An attacker could exploit this by using these policies to block the creation or update of PolicyReport resources, effectively concealing non-compliant items. Additionally, a mutating AdmissionPolicy could be employed to modify the contents of existing PolicyReports. The vulnerability stems from inadequate validation rules that allowed interactions with sensitive resources.

Impact

Exploitation of this vulnerability could lead to unauthorized manipulation of PolicyReport resources, allowing an attacker to hide non-compliant objects or alter the contents of PolicyReports within a namespace.

Reproduction

To reproduce this vulnerability, create an AdmissionPolicy or AdmissionPolicyGroup that targets PolicyReport resources. This can be done by defining rules that include the 'wgpolicyk8s.io' API group and 'policyreports' resource. Once the policy is applied, it will prevent the creation or update of PolicyReport objects, effectively hiding non-compliant resources. Additionally, if a mutating AdmissionPolicy is used, it can alter the contents of any existing PolicyReports in the namespace.

Remediation

Users can upgrade to Kubewarden controller version 1.21.0 or later, where this vulnerability has been patched. For clusters running Kubewarden versions prior to 1.21.0, a custom ClusterAdmissionPolicy can be applied to deny interactions with PolicyReport resources. This policy should be configured to block the use of wildcards in API groups and resources, which could otherwise be exploited to target sensitive resources like PolicyReports.