CVE-2021-41254

Name of the Vulnerable Software and Affected Versions kustomize-controller versions prior to 0.15.0

Description The issue is related to the kustomize-controller, a Kubernetes operator for running continuous delivery pipelines. It allows users who can create Kubernetes Secrets, Service Accounts, and Flux Kustomization objects to execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run kubectl commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges. The vulnerability affects multitenant environments where non-admin users have permissions to create Flux Kustomization objects.

Recommendations To resolve the issue, update to kustomize-controller version 0.15.0 or later, which no longer executes shell commands on the container OS and has the kubectl binary removed from the container image. As a temporary workaround, consider using a Kubernetes validation webhook, such as Gatekeeper OPA or Kyverno, to prevent the creation of Kubernetes Service Accounts with secrets in namespaces owned by tenants.