Kyverno Authorization Bypass Vulnerability in Policy apiCall Context

A critical authorization boundary bypass vulnerability has been identified in Kyverno, a policy engine for cloud-native platforms. This issue affects versions through 1.16.2 and 1.15.2. The vulnerability allows authenticated users with permission to create namespaced Policies to manipulate Kubernetes API requests using Kyverno's admission controller ServiceAccount. The exploitation targets any API path permitted by the ServiceAccount's RBAC, thereby violating namespace isolation. This could lead to unauthorized access to resources such as ConfigMaps and Secrets, or the creation of ClusterPolicies, by exploiting the variable substitution feature in the urlPath of the apiCall context.

Impact

Exploitation of this vulnerability allows for cross-namespace data access and manipulation, bypassing standard Kubernetes RBAC controls. It could lead to unauthorized reading of sensitive information from other namespaces or the cluster level, and unauthorized modifications or creations of resources, such as ClusterPolicies, which can have wide-ranging effects across the cluster.

Reproduction

To reproduce this vulnerability, create a namespaced Policy that includes an apiCall context entry. The urlPath can be crafted to target resources in a different namespace or cluster-scoped resources, taking advantage of the absence of namespace validation. Once the Policy is applied, use the Kyverno admission controller ServiceAccount to execute the API call, thereby accessing or modifying the targeted resources.

Remediation

Users should update to Kyverno versions 1.16.3 or 1.15.3, which include patches for this vulnerability. After updating, review and adjust any Policies that may have exploited the previous vulnerability to ensure they comply with the new namespace restrictions.