Argo Workflows WorkflowTemplate Security Bypass Vulnerability via podSpecPatch

A vulnerability exists in Argo Workflows versions 2.9.0 prior to 4.0.2 and 3.7.11, allowing users to bypass security settings in WorkflowTemplates. By including a podSpecPatch field in Workflow submissions, users can override security configurations, even when the controller is set to templateReferencing: Strict. This mode is intended to limit users to admin-approved templates. The vulnerability arises because the podSpecPatch field takes precedence during specification merging and is applied to the pod specification at creation without any security validation. Exploitation could lead to unauthorized access to Kubernetes node resources, including full root access, by manipulating container security settings and accessing the host filesystem.

Impact

Exploitation of this vulnerability allows users to gain full root access to the underlying Kubernetes node, disregarding any security measures implemented in the WorkflowTemplate. This access is achieved by exploiting the podSpecPatch field to override security settings, such as running containers as root, enabling privileged mode, mounting the host filesystem, sharing host namespaces, and adding all Linux capabilities.

Reproduction

To reproduce this vulnerability, first create a Kubernetes cluster and install Argo Workflows. Once Argo Workflows is installed, enable 'templateReferencing: Strict' mode in the workflow controller's configmap. After verifying that Strict mode is active, create a WorkflowTemplate with restrictive security settings. Submit a Workflow that references this template without modification to establish a baseline. Finally, submit a Workflow that includes a podSpecPatch overriding the security settings, and observe the exploitation by checking the Workflow logs for evidence of bypassed security measures.

Remediation

Users can update to Argo Workflows versions 4.0.2 or 3.7.11, where this vulnerability is patched. Alternatively, when using 'templateReferencing: Strict' or 'Secure', the Argo Workflows controller should reject Workflows that include a podSpecPatch field. Without the code fix, deploy an admission controller with policies that block dangerous pod settings on Argo Workflows-created pods.