mirror of https://github.com/istio/istio.io.git
ISTIO-SECURITY-2023-005 & CNI Docs Updates (#14302)
* Add security announce & docs content * Fix linter errors * Fix additional linting issues * More lint errors * Fix trailing spaces * Update content/en/docs/setup/additional-setup/cni/index.md Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> * Update content/en/news/security/istio-security-2023-005/index.md Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> * Update content/en/news/security/istio-security-2023-005/index.md Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> * Update content/en/docs/setup/additional-setup/cni/index.md Co-authored-by: John Howard <howardjohn@google.com> * Added extra column, fixed British spellings * Update content/en/news/security/istio-security-2023-005/index.md Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update content/en/docs/setup/additional-setup/cni/index.md Co-authored-by: Daniel Hawton <daniel@hawton.org> * Update content/en/news/security/istio-security-2023-005/index.md Co-authored-by: Daniel Hawton <daniel@hawton.org> --------- Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> Co-authored-by: John Howard <howardjohn@google.com> Co-authored-by: Daniel Hawton <daniel@hawton.org>
This commit is contained in:
Paul Merrison
GitHub
parent
9b8038ff7f
commit
18a7d00b53
|
|
@ -210,9 +210,17 @@ The result is that the application pod comes up without Istio traffic redirectio
|
|||
To mitigate the race between an application pod and the Istio CNI DaemonSet,
|
||||
an `istio-validation` init container is added as part of the sidecar injection,
|
||||
which detects if traffic redirection is set up correctly, and blocks the pod starting up if not.
|
||||
The CNI DaemonSet will detect and evict any pod stuck in such state. When the new pod starts up, it should have traffic redirection set up properly.
|
||||
The CNI DaemonSet will detect and handle any pod stuck in such state; how the pod is handled is dependent on configuration described below.
|
||||
This mitigation is enabled by default and can be turned off by setting `values.cni.repair.enabled` to false.
|
||||
|
||||
This repair capability can be further configured with different RBAC permissions to help mitigate the theoretical attack vector detailed in [`ISTIO-SECURITY-2023-005`](/news/security/istio-security-2023-005/). By setting the below fields to true/false as required, you can select the Kubernetes RBAC permissions granted to the Istio CNI.
|
||||
|
||||
|Configuration | Roles | Behavior on Error | Notes
|
||||
|---------------------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------|-------
|
||||
|`values.cni.repair.deletePods` | DELETE pods | Pods are deleted, when rescheduled they will have the correct configuration. | Default in 1.20 and older
|
||||
|`values.cni.repair.labelPods` | UPDATE pods | Pods are only labeled. User will need to take manual action to resolve. |
|
||||
|`values.cni.repair.repairPods` | None | Pods are dynamically reconfigured to have appropriate configuration. When the container restarts, the pod will continue normal execution. | Default in 1.21 and newer
|
||||
|
||||
### Traffic redirection parameters
|
||||
|
||||
To redirect traffic in the application pod's network namespace to/from the Istio proxy sidecar,
|
||||
|
|
|
|||
|
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
title: ISTIO-SECURITY-2023-005
|
||||
subtitle: Security Bulletin
|
||||
description: Changes to Istio CNI RBAC permissions.
|
||||
cves: []
|
||||
cvss: N/A
|
||||
vector: N/A
|
||||
releases: ["All releases prior to 1.18.0", "1.18.0 to 1.18.5", "1.19.0 to 1.19.4", "1.20.0"]
|
||||
publishdate: 2023-12-12
|
||||
keywords: [CVE]
|
||||
skip_seealso: true
|
||||
---
|
||||
|
||||
{{< security_bulletin >}}
|
||||
|
||||
The Istio Security Committee were recently made aware of a potential scenario where the Istio CNI could be used as an attack vector on an already compromised node due to its high level of permissions. The vector involves abusing the `istio-cni-repair-role` `ClusterRole` on a compromised node to expand the scope of the compromise from local to the node to a cluster-wide compromise.
|
||||
|
||||
The Istio maintainers are, therefore, gradually rolling out a change to the above `ClusterRole` that reduces the permissions to close this potential attack vector. In the patched versions, roles are limited to the bare minimum requirements based on the [repair mode selected](/docs/setup/additional-setup/cni/#race-condition--mitigation). Previously, regardless of the configuration all roles were granted, and the roles that were granted were excessive.
|
||||
|
||||
An additional option can further mitigate any potential attacks, by completely removing the need for Istio CNI to have custom RBAC permissions; due to the possible risks associated with this new method, it is only enabled by default on Istio 1.21+. See below for the configuration options available, and roles required:
|
||||
|
||||
|Configuration | Roles | Behavior on Error | Notes
|
||||
|---------------------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------|-------
|
||||
|`values.cni.repair.deletePods` | DELETE pods | Pods are deleted, when rescheduled they will have the correct configuration. | Default in 1.20 and older
|
||||
|`values.cni.repair.labelPods` | UPDATE pods | Pods are only labeled. User will need to take manual action to resolve. |
|
||||
|`values.cni.repair.repairPods` | None | Pods are dynamically reconfigured to have appropriate configuration. When the container restarts, the pod will continue normal execution. | Default in 1.21 and newer
|
||||
|
||||
The Istio Security Committee would like to thank `Yuval Avrahami` for disclosing this issue and working with us on the resolution.
|
||||
Loading…
Reference in New Issue