Kyverno Cross-Namespace Privilege Escalation Vulnerability in ConfigMap Context Loader

A vulnerability in Kyverno's ConfigMap context loader allows for cross-namespace privilege escalation by failing to validate the namespace field, enabling a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This issue, present in versions through 1.17.0, bypasses role-based access control (RBAC) in multi-tenant Kubernetes clusters, where namespace isolation is crucial for security.

Impact

Exploitation of this vulnerability allows a namespace admin to access any ConfigMap from any namespace, potentially exfiltrating sensitive data such as database credentials, API keys, and other application secrets stored in ConfigMaps. This behavior violates the principle of least privilege and disrupts multi-tenancy guarantees in Kubernetes.

Reproduction

To reproduce this vulnerability, create a Kyverno Policy in a namespace where the 'configMap.namespace' field references a ConfigMap in a different namespace. The policy can then be applied, and the ConfigMap data will be accessed without the necessary permissions, demonstrating the RBAC bypass.

Remediation

Users can update to Kyverno version 1.17.2, where this vulnerability has been patched by adding the necessary namespace validation in the ConfigMap context loader.