CVE-2018-20321

An issue was discovered in Rancher 2 through 2.1.5. Any project member with access to the default namespace can mount the netes-default service account in a pod, and then use that pod to execute administrative privileged commands against the k8s cluster. This could be mitigated by isolating the default namespace in a separate project, where only cluster admins can be given permissions to access. As of 2018-12-20, this bug affected ALL clusters created or imported by Rancher.

An issue was discovered in Rancher 2 through 2.1.5. Any project member with access to the default namespace can mount the netes-default service account in a pod, and then use that pod to execute administrative privileged commands against the k8s cluster. This could be mitigated by isolating the default namespace in a separate project, where only cluster admins can be given permissions to access. As of 2018-12-20, this bug affected ALL clusters created or imported by Rancher.

Access Control Bypass in github.com/rancher/rancher

An issue was discovered in Rancher 2 through 2.1.5. Any project member with access to the default namespace can mount the netes-default service account in a pod, and then use that pod to execute administrative privileged commands against the k8s cluster. This could be mitigated by isolating the default namespace in a separate project, where only cluster admins can be given permissions to access. As of 2018-12-20, this bug affected ALL clusters created or imported by Rancher.

Se descubrió un problema en Rancher versión 2 hasta 2.1.5. Cualquier miembro del proyecto con acceso al espacio de nombres predeterminado puede insertar la cuenta de servicio predeterminada de netes en un contenedor pod, y luego usar ese pod para ejecutar comandos administrativos privilegiados contra el clúster k8s. Esto podría mitigarse aislando el espacio de nombres predeterminado en un proyecto separado, donde solo los administradores del clúster pueden tener permisos de acceso. A partir del 20-12-2018, este error afectó a todos los clústeres creados o importados por Rancher.