Back to bug 2211348
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Avinash Hanwate | 2023-05-31 07:55:20 UTC | CC | security-response-team | |
| Avinash Hanwate | 2023-05-31 09:24:19 UTC | Group | team ocp_embargoes | |
| Avinash Hanwate | 2023-06-15 05:36:42 UTC | Group | security, qe_staff, team ocp_embargoes | |
| Summary | EMBARGOED CVE-2023-2728 kube-apiserver: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin | CVE-2023-2728 kube-apiserver: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin | ||
| Deadline | 2023-06-15 | |||
| CC | dfreiber, jburrell, rogbas, vkumar | |||
| Fixed In Version | kube-apiserver 1.27.3, kube-apiserver 1.26.6, kube-apiserver 1.25.11, kube-apiserver 1.24.15 | |||
| Avinash Hanwate | 2023-06-15 05:43:47 UTC | Depends On | 2215203, 2215201 | |
| Avinash Hanwate | 2023-06-15 07:42:06 UTC | Doc Text | A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers. | |
| RaTasha Tillery-Smith | 2023-06-15 12:43:40 UTC | Doc Text | A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers. | A flaw was found in Kubernetes, where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers. |
| Red Hat Bugzilla | 2023-07-07 08:33:41 UTC | Assignee | security-response-team | nobody |
| CC | security-response-team | |||
| Doug Hellmann | 2023-07-25 20:11:29 UTC | CC | dhellmann |
Back to bug 2211348