Kubernetes NodeRestriction Admission Controller Dynamic Resource Allocation Authorization Bypass Vulnerability

A vulnerability in the NodeRestriction admission controller allows nodes to bypass authorization checks for dynamic resource allocation. This issue arises when the DynamicResourceAllocation feature gate is enabled. The controller correctly validates resource claim statuses during pod updates but neglects to do so during pod creation. As a result, a compromised node can create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation. Although the kubelet typically prevents these mirror pods from running, an attacker with control over a node could exploit this vulnerability to access sensitive resources.

Impact

Exploitation of this vulnerability could allow a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.

Remediation

To mitigate this vulnerability, turn off the DynamicResourceAllocation feature on the API server if it is not actively being used. Clusters using this feature with static pods may be vulnerable.