https://blog.zwindler.fr/en/tags/otel/Recent content in Otel on Zwindler's ReflectionHugo -- gohugo.ioenLicensed under CC BY-SA 4.0Tue, 19 May 2026 12:00:00 +0200https://blog.zwindler.fr/en/2026/05/19/nodes/proxy-get-one-kubernetes-permission-too-many/Tue, 19 May 2026 12:00:00 +0200https://blog.zwindler.fr/en/2026/05/19/nodes/proxy-get-one-kubernetes-permission-too-many/<img src="https://blog.zwindler.fr/2026/05/node_proxy_RCE.webp" alt="Featured image of post nodes/proxy GET: One Kubernetes permission too many" /><h2 id="tldr">TL;DR </h2><p>This is a bit old now, but I still wanted to share a quick write-up on the topic.</p> <p>Back in January, a cybersecurity researcher reported a Kubernetes flaw that generated quite a buzz. It had been a while since we had a Kube vulnerability that got people talking this much, at least from Denis&rsquo;s memory (yes, I talk about myself in the third person).</p> <p>Honestly, it&rsquo;s pretty wild: the <code>nodes/proxy GET</code> RBAC permission allows any <strong>ServiceAccount</strong> to execute code inside <strong>any Pod in the cluster</strong>, without leaving a single trace in the audit logs. That&rsquo;s unfortunate, especially when you have ServiceAccounts named <code>rook-ceph-system</code> that also happen to have read access to all Secrets in the cluster.</p> <p>This article details the issue, how to check if you are vulnerable, the fixes to apply, and the preventive measures you can put in place if you can&rsquo;t patch right away.</p> <h2 id="the-problem-websocket--kubelet--un-audited-exec">The problem: WebSocket + Kubelet = un-audited exec </h2><p>The vulnerability was documented by Graham Helton in <a class="link" href="https://grahamhelton.com/blog/nodes-proxy-rce" target="_blank" rel="noopener" >this article</a>. Here is how it works.</p> <p>The Kubernetes API exposes a <code>nodes/proxy</code> subresource that proxies HTTP requests to each node&rsquo;s Kubelet. The Kubelet itself exposes an API on port 10250, specifically the <code>/exec</code> endpoint which allows executing commands inside a container.</p> <p>The issue comes from how the Kubelet handles authorizations for WebSocket connections:</p> <ol> <li><code>kubectl exec</code> uses a WebSocket connection, whose handshake is an HTTP <code>GET</code></li> <li>The Kubelet maps this initial <code>GET</code> to the <code>get</code> RBAC verb</li> <li>It checks <code>nodes/proxy GET</code>, then authorizes the operation</li> <li><strong>No secondary check</strong> is performed for the <code>CREATE</code> verb normally required for <code>/exec</code></li> </ol> <p>Result: any ServiceAccount with <code>nodes/proxy GET</code> can execute commands in any Pod in the cluster, <strong>including system Pods</strong> (<code>etcd</code>, <code>kube-apiserver</code>, etc.).</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Exploitation via websocat</span> </span></span><span class="line"><span class="cl">websocat --insecure <span class="se">\ </span></span></span><span class="line"><span class="cl"> --header <span class="s2">&#34;Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> --protocol <span class="s2">&#34;v4.channel.k8s.io&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="s2">&#34;wss://</span><span class="nv">$NODE_IP</span><span class="s2">:10250/exec/default/nginx/nginx?output=1&amp;error=1&amp;command=id&#34;</span> </span></span></code></pre></div><p>And that&rsquo;s not all. <strong>Commands executed via this method do not generate any Kubernetes audit logs</strong> (well, assuming you even collect them 🙈). The access goes directly through the Kubelet, which does not report events back to the API server.</p> <p>The official Kubernetes status on this: <strong>Won&rsquo;t Fix</strong>. It is a &ldquo;design behavior&rdquo; (note the quotes), addressed via a feature gate (<a class="link" href="https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/2862-fine-grained-kubelet-authz/README.md" target="_blank" rel="noopener" >KEP-2862</a>, see below).</p> <p>Ouch.</p> <h2 id="the-audit-vulnerable-serviceaccounts-on-our-clusters">The Audit: Vulnerable ServiceAccounts on our clusters </h2><p>In January 2026, following the publication of Graham Helton&rsquo;s article, a lot of people had to urgently audit their clusters. You can either manually audit all your Roles / ClusterRoles, or use a <a class="link" href="https://gist.github.com/grahamhelton/f5c8ce265161990b0847ac05a74e466a" target="_blank" rel="noopener" >detection script</a> provided by the researcher.</p> <p>As an example, here are three relatively common components that make great candidates for a juicy privilege escalation:</p> <table> <thead> <tr> <th>Component</th> <th>ClusterRole</th> <th>ServiceAccounts</th> </tr> </thead> <tbody> <tr> <td><strong>OpenTelemetry Collector</strong></td> <td><code>otel-otelcol-k8sobjects</code></td> <td><code>opentelemetry-collector-daemonset-collector</code>, <code>opentelemetry-collector-deployment-collector</code></td> </tr> <tr> <td><strong>OpenTelemetry Operator</strong></td> <td><code>otel-operator-resources</code> / <code>opentelemetry-operator-manager</code></td> <td><code>opentelemetry-operator</code></td> </tr> <tr> <td><strong>Rook-Ceph</strong></td> <td><code>rook-ceph-global</code>, <code>rook-ceph-mgr-cluster</code></td> <td><code>rook-ceph-system</code>, <code>rook-ceph-mgr</code></td> </tr> </tbody> </table> <p>Note: there are many more. Graham Helton added an &ldquo;Appendix: Affected Helm Charts&rdquo; section at the end of his article, referencing AT LEAST 69 affected Helm charts according to him.</p> <h3 id="the-critical-case-rook-ceph-system">The critical case: rook-ceph-system </h3><p>In the official chart, the <code>rook-ceph-system</code> ServiceAccount combined two particularly dangerous permissions:</p> <ol> <li><strong><code>nodes/proxy GET</code></strong> - the RCE</li> <li><strong><code>secrets GET/LIST/WATCH</code></strong> across the <strong>entire cluster</strong></li> </ol> <p>Accessible secrets can include LUKS keys for volume encryption, Ceph admin keyrings, dashboard passwords&hellip; this kind of access makes it a prime target for an attacker.</p> <p>The attack scenario: a compromise of the <code>rook-ceph-operator</code> Pod (via CVE, supply chain, or a malicious image) would allow reading all Ceph secrets, and then executing code in any Pod (including <code>etcd</code>), leading to a full compromise of the cluster and encrypted data.</p> <p>To manually check if a ServiceAccount is vulnerable:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl auth can-i get nodes --subresource<span class="o">=</span>proxy <span class="se">\ </span></span></span><span class="line"><span class="cl"> --as<span class="o">=</span>system:serviceaccount:&lt;namespace&gt;:&lt;serviceaccount&gt; </span></span></code></pre></div><h2 id="examples-of-fixes-to-apply">Examples of fixes to apply </h2><h3 id="rook-ceph-upstream-fix">Rook-Ceph: Upstream fix </h3><p>For Rook-Ceph, the fix came from upstream: PR <a class="link" href="https://github.com/rook/rook/pull/16979" target="_blank" rel="noopener" >rook/rook#16979</a> removed <code>nodes/proxy</code> from ClusterRoles. This fix is included in Rook v1.19.1, so updating the affected clusters was enough.</p> <p>After updating, checking across all clusters:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl get clusterroles rook-ceph-global -o yaml <span class="p">|</span> grep -A3 nodes/proxy </span></span><span class="line"><span class="cl"><span class="c1"># -&gt; nothing</span> </span></span></code></pre></div><h3 id="otel--otel-operator">OTel / OTel operator </h3><p>For OpenTelemetry, the situation is potentially more complex. If you are using <code>otel-operator</code> and <strong>OtelCollector</strong> Custom Resources, you likely have to manage your own RBAC manifests <strong>yourself</strong>.</p> <p>Having had to do it myself, it&rsquo;s quite painful. Depending on your collector type and the receivers you enabled, you need to cross-reference multiple documents on the official OTel and otel-operator websites.</p> <p>Upstream merged a conditional approach in <a class="link" href="https://github.com/open-telemetry/opentelemetry-helm-charts/pull/2083" target="_blank" rel="noopener" >open-telemetry/opentelemetry-helm-charts#2083</a> based on the Kubernetes version:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Upstream approach (opentelemetry-helm-charts#2083)</span><span class="w"> </span></span></span><span class="line"><span class="cl">{{- <span class="l">if semverCompare &#34;&gt;=1.33-0&#34; .Capabilities.KubeVersion.Version }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/pods</span><span class="w"> </span></span></span><span class="line"><span class="cl">{{- <span class="l">else }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/proxy</span><span class="w"> </span></span></span><span class="line"><span class="cl">{{- <span class="l">end }}</span><span class="w"> </span></span></span></code></pre></div><p>Here again, if all your clusters are up to date, you can simply replace <code>nodes/proxy</code> with <code>nodes/pods</code> directly (without the condition).</p> <p><strong><code>otel-collector-crb.yaml</code></strong>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Before</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/proxy </span><span class="w"> </span><span class="c"># &lt;- RCE risk</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/spec</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/stats</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">get</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># After</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># nodes/pods replaces nodes/proxy (RCE risk, see [https://grahamhelton.com/blog/nodes-proxy-rce](https://grahamhelton.com/blog/nodes-proxy-rce))</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Requires K8s &gt;= 1.33 (KEP-2862 fine-grained kubelet authz)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/pods</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/spec</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/stats</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">get</span><span class="w"> </span></span></span></code></pre></div><p><strong><code>otel-operator-rbac.yaml</code></strong>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Before</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/proxy </span><span class="w"> </span><span class="c"># &lt;- RCE risk</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">get</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># After</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># nodes/pods replaces nodes/proxy (RCE risk, see [https://grahamhelton.com/blog/nodes-proxy-rce](https://grahamhelton.com/blog/nodes-proxy-rce))</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Requires K8s &gt;= 1.33 (KEP-2862 fine-grained kubelet authz)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/pods</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">get</span><span class="w"> </span></span></span></code></pre></div><h2 id="preventive-measures">Preventive Measures </h2><h3 id="kep-2862-fine-grained-kubelet-api-authorization">KEP-2862: Fine-Grained Kubelet API Authorization </h3><p>As teased earlier, the real long-term solution is <a class="link" href="https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/2862-fine-grained-kubelet-authz/README.md" target="_blank" rel="noopener" >KEP-2862</a> (Fine-Grained Kubelet API Authorization). It introduces granular subresources (<code>nodes/pods</code>, <code>nodes/metrics</code>, <code>nodes/stats</code>, <code>nodes/log</code>, etc.) allowing precise access without using <code>nodes/proxy</code>.</p> <table> <thead> <tr> <th>K8s Version</th> <th>KEP-2862 Status</th> </tr> </thead> <tbody> <tr> <td>1.32</td> <td>Alpha</td> </tr> <tr> <td>1.33</td> <td><strong>Beta, enabled by default</strong> - <code>nodes/proxy GET</code> no longer grants access to <code>/exec</code></td> </tr> <tr> <td>1.36</td> <td>GA (locked to enabled)</td> </tr> </tbody> </table> <p>But this requires going through EVERY chart in use and checking all deployed manifests now <strong>and in the future</strong>.</p> <h3 id="ciliumnetworkpolicy-blocking-the-kubelet-port">CiliumNetworkPolicy: Blocking the Kubelet port </h3><p>While waiting for the K8s upgrade, or as defense-in-depth, you can block access to port 10250 from the affected pods using NetworkPolicies (or CiliumNetworkPolicy if you use Cilium as your CNI plugin).</p> <p><strong>Warning</strong>: This only applies to components that do <em>not</em> need to access the Kubelet. The OTel collector potentially needs it to gather Kubelet metrics. In that case, you have no choice but to fix the RBAC.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">cilium.io/v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">CiliumNetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-kubelet-api-access</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">&lt;namespace&gt;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">endpointSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">&lt;app-label&gt;</span><span class="p">:</span><span class="w"> </span><span class="l">&lt;value&gt;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">egressDeny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">toEntities</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">host</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">remote-node</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">toPorts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10250&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">TCP</span><span class="w"> </span></span></span></code></pre></div><h3 id="kyverno-blocking-the-creation-of-new-roles-with-nodesproxy">Kyverno: Blocking the creation of new Roles with nodes/proxy </h3><p>To prevent any regression (remember, we need to protect ourselves <strong>in the future</strong>), we can add a Kyverno <code>ClusterPolicy</code> that rejects the creation or modification of a <code>ClusterRole</code> or <code>Role</code> containing <code>nodes/proxy</code>.</p> <p>Luckily, there are ready-to-use examples on the official Kyverno website:</p> <ul> <li><a class="link" href="https://kyverno.io/policies/other-vpol/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy/" target="_blank" rel="noopener" >validating variant</a></li> <li><a class="link" href="https://kyverno.io/policies/other-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy/" target="_blank" rel="noopener" >CEL variant</a></li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-nodes-proxy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit </span><span class="w"> </span><span class="c"># switch to Enforce after validation</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-nodes-proxy-in-clusterroles</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;system:kubelet-api-admin&#34;</span><span class="w"> </span><span class="c"># built-in K8s, unmodifiable</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> nodes/proxy grants RCE capability via Kubelet WebSocket exec. </span></span></span><span class="line"><span class="cl"><span class="sd"> Use nodes/pods (requires K8s &gt;= 1.33, KEP-2862) instead.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;nodes/proxy&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.rules[].resources[] }}&#34;</span><span class="w"> </span></span></span></code></pre></div><p>Deployment is done in two stages: first in <code>Audit</code> mode to ensure there are no remaining vulnerable manifests (which you should fix <strong>before</strong> blocking), then in <code>Enforce</code> mode to actually block them.</p> <h3 id="monitoring-the-audit-log">Monitoring the Audit Log </h3><p>Even if commands executed <em>via</em> the Kubelet leave no trace, we can monitor <strong>SubjectAccessReviews</strong> to detect attempts at enumerating <code>nodes/proxy</code> permissions.</p> <p>The configuration in the Kubernetes audit policy:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># audit-policy.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">Request</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;create&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;authorization.k8s.io&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;subjectaccessreviews&#34;</span><span class="p">]</span><span class="w"> </span></span></span></code></pre></div><p>Then a Prometheus/Alertmanager alert on SARs related to <code>nodes/proxy</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-promql" data-lang="promql"><span class="line"><span class="cl"><span class="c1"># Detect SARs targeting nodes/proxy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="kr">increase</span><span class="o">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">apiserver_audit_event_total</span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nl">verb</span><span class="o">=</span><span class="p">&#34;</span><span class="s">create</span><span class="p">&#34;,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nl">resource</span><span class="o">=</span><span class="p">&#34;</span><span class="s">subjectaccessreviews</span><span class="p">&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}[</span><span class="s">5m</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">)</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span></span></span></code></pre></div><h2 id="references">References </h2><ul> <li><a class="link" href="https://grahamhelton.com/blog/nodes-proxy-rce" target="_blank" rel="noopener" >Kubernetes RCE via nodes/proxy GET</a> - Graham Helton</li> <li><a class="link" href="https://gist.github.com/grahamhelton/f5c8ce265161990b0847ac05a74e466a" target="_blank" rel="noopener" >Detection Script</a></li> <li><a class="link" href="https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/2862-fine-grained-kubelet-authz/README.md" target="_blank" rel="noopener" >KEP-2862 Fine-Grained Kubelet API Authorization</a></li> <li><a class="link" href="https://kubernetes.io/docs/concepts/security/rbac-good-practices/#access-to-proxy-subresource-of-nodes" target="_blank" rel="noopener" >Kubernetes RBAC Good Practices - nodes/proxy</a></li> <li><a class="link" href="https://github.com/rook/rook/pull/16979" target="_blank" rel="noopener" >rook/rook#16979</a> - Fix upstream Rook-Ceph</li> <li><a class="link" href="https://github.com/open-telemetry/opentelemetry-helm-charts/pull/2083" target="_blank" rel="noopener" >open-telemetry/opentelemetry-helm-charts#2083</a> - Fix upstream OTel</li> </ul>