
Privilege escalation through Kubernetes dashboard - knoxa2511
https://sysdig.com/blog/privilege-escalation-kubernetes-dashboard/
======
pm90
Its been known for quite sometime to not expose the dashboard. GKE explicitly
disables it by default. TESLA's in-house cluster was pwned because their
dashboard was publicly accessible etc.

~~~
andrewstuart2
Either don't expose the dashboard, or explicitly give it a service account
with zero access. I think it should be well-known by now that anything you run
in-cluster gets a builtin service account token, defaulting to the default
service account for that namespace.

~~~
sieabahlpark
You'd be surprised a lot of things are overlooked with the premise of shipping
faster.

Don't worry about security, we need to ship.

------
zaroth
Hard to call this “privilege escalation” if I’m reading this correctly?

It’s like a firewall default policy of ALLOW and complaining that packets are
getting through.

There was a literal “Skip” button on the login page and the default account
was granted permission to read certificate private keys. Did I get that right?

------
omeid2
I am not surprised, in the general sense that someone has found a security bug
in a large and complex piece of software. This is basically another good
example of why your control plane should be only accessible through a
vpn/bastion.

