2302857 – CVE - [odf-console] Pod Service Account Token Automatically Mounted

Bug 2302857 - CVE - [odf-console] Pod Service Account Token Automatically Mounted

Summary: CVE - [odf-console] Pod Service Account Token Automatically Mounted

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat OpenShift Data Foundation
Classification:	Red Hat Storage
Component:	odf-operator
Sub Component:
Version:	4.17
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Target Release:	ODF 4.17.0
Assignee:	Bipul Adhikari
QA Contact:	Parag Kamble
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2281703
TreeView+	depends on / blocked

Reported:	2024-08-05 11:45 UTC by Sanjal Katiyar
Modified:	2024-10-28 09:17 UTC (History)
CC List:	6 users (show)
Fixed In Version:	4.17.0-105
Doc Type:	Bug Fix
Doc Text:	.Automatic mounting of service account tokens disabled to increase security By default, OpenShift automatically mounts a service account token into every pod, regardless of whether the pod needs to interact with the OpenShift API. This behavior can expose the pod’s service account token to unintended use. If a pod is compromised, the attacker could gain access to this token, leading to possible privilege escalation within the cluster. If the default service account token is unnecessarily mounted, and the pod becomes compromised, the attacker can use the service account credentials to interact with the OpenShift API. This access could lead to serious security breaches, such as unauthorized actions within the cluster, exposure of sensitive information, or privilege escalation across the cluster. To mitigate this vulnerability, the automatic mounting of service account tokens is disabled unless explicitly needed by the application running in the pod. In the case of ODF console pod the fix involved disabling the automatic mounting of the default service account token by setting the `automountServiceAccountToken: false` in the pod or service account definition. With this fix, pods no longer automatically mount the service account token unless explicitly needed. This reduces the risk of privilege escalation or misuse of the service account in case of a compromised pod.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	red-hat-storage odf-operator pull 475	0	None	open	Bug 2302857:[release-4.17] bundle: Stop service account token from being automatically mounted in odf-console	2024-09-13 06:45:29 UTC
Red Hat Issue Tracker	OCSBZM-8896	0	None	None	None	2024-08-30 06:35:52 UTC

Description Sanjal Katiyar 2024-08-05 11:45:09 UTC

Description of problem (please be detailed as possible and provide log
snippests):

Protect pod default service account tokens from compromise by minimizing the mounting of the default service account token to only those pods whose application requires interaction with the Kubernetes API.

By default, Kubernetes automatically provisions a service account for each pod and mounts the secret at runtime. This service account is not typically used. If this pod is compromised and the compromised user has access to the service account, the service account could be used to escalate privileges within the cluster. To reduce the likelihood of privilege escalation this service account should not be mounted by default unless the pod requires direct access to the Kubernetes API as part of the pods functionality.

Version of all relevant components (if applicable):

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?

Is there any workaround available to the best of your knowledge?

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?

Can this issue reproducible?

Can this issue reproduce from the UI?

If this is a regression, please provide more details to justify this:

Steps to Reproduce:
1.
2.
3.

Actual results:

Expected results:

Additional info:
Add `automountServiceAccountToken: false` or a value distinct from 'default' for the `serviceAccountName` key to the deployment's Pod configuration.

Comment 8 Sunil Kumar Acharya 2024-09-18 12:06:54 UTC

Please update the RDT flag/text appropriately.

Note You need to log in before you can comment on or make changes to this bug.