Kubernetes ValidatingWebhookConfiguration
The original author of this page is Guillaume
Definition
ValidatingWebhookConfiguration is a Kubernetes resource that defines a validating webhook, which is a server-side component that validates incoming Kubernetes API requests against a set of predefined rules and constraints.
Purpose
The purpose of a ValidatingWebhookConfiguration is to define a validating webhook that will enforce a set of predefined rules and constraints on incoming Kubernetes API requests. The webhook will validate the requests against the rules and constraints defined in the configuration, and will return an error if the request does not conform to the rules.
Example
Here is an example of a ValidatingWebhookConfiguration:
The main difference between a ValidatingWebhookConfiguration and policies :
ValidatingWebhookConfiguration (VWC) : A Kubernetes resource that defines a validating webhook, which is a server-side component that validates incoming Kubernetes API requests against a set of predefined rules and constraints.
Kyverno ClusterPolicy: A policy definition that specifies a set of rules and constraints for validating and enforcing Kubernetes resources, such as pods, deployments, and services
Enumeration
Abusing Kyverno and Gatekeeper VWC
As we can see all operators installed have at least one ValidatingWebHookConfiguration(VWC).
Kyverno and Gatekeeper are both Kubernetes policy engines that provide a framework for defining and enforcing policies across a cluster.
Exceptions refer to specific rules or conditions that allow a policy to be bypassed or modified under certain circumstances but this is not the only way !
For kyverno, as you as there is a validating policy, the webhook kyverno-resource-validating-webhook-cfg
is populated.
For Gatekeeper, there is gatekeeper-validating-webhook-configuration
YAML file.
Both come from with default values but the Administrator teams might updated those 2 files.
Use Case
Now, identify the following output :
Here, kubernetes.io/metadata.name
label refers to the namespace name. Namespaces with names in the values
list will be excluded from the policy :
Check namespaces existence. Sometimes, due to automation or misconfiguration, some namespaces might have not been created. If you have permission to create namespace, you could create a namespace with a name in the values
list and policies won't apply your new namespace.
The goal of this attack is to exploit misconfiguration inside VWC in order to bypass operators restrictions and then elevate your privileges with other techniques
References
Last updated