Skip to content

[Security Issue] metric-adapter ClusterRole grants full cluster-wide privilegesΒ #922

Open
Open
[Security Issue] metric-adapter ClusterRole grants full cluster-wide privileges#922
@im-soohyun

Description

@im-soohyun
im-soohyun
opened on May 14, 2025

πŸ” [Security Issue] metric-adapter ClusterRole grants full cluster-wide privileges

The current configuration of the metric-adapter component defines an overly permissive ClusterRole and applies it directly to a running pod through a ServiceAccount and ClusterRoleBinding. This creates a critical security risk where compromising a single pod could lead to complete cluster takeover.

πŸ” Misconfigured RBAC Flow with Source Links

1️⃣ Overprivileged ClusterRole definition

πŸ“„ rbac.yaml lines 1–8

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: metric-adapter  # <-- (A) overly permissive role
rules:
  - apiGroups: [ "*" ]
    resources: [ "*" ]
    verbs: [ "*" ]

This ClusterRole grants full access to all API groups, resources, and actions, including reading secrets, modifying configurations, deleting deployments, and more.

2️⃣ Binding the ClusterRole to a ServiceAccount

πŸ“„ rbac.yaml lines 100–111

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metric-adapter
roleRef:
  kind: ClusterRole
  name: metric-adapter  # <-- (A) reference to the powerful role
subjects:
  - kind: ServiceAccount
    name: metric-adapter  # <-- (B) service account that receives the permissions
    namespace: crane-system

This binding gives full cluster access to the metric-adapter ServiceAccount.

3️⃣ ServiceAccount Definition

πŸ“„ deployment.yaml lines 1–5

apiVersion: v1
kind: ServiceAccount
metadata:
  name: metric-adapter  # <-- (B) defined ServiceAccount
  namespace: crane-system

The above ServiceAccount is the subject of the previous ClusterRoleBinding.

4️⃣ ServiceAccount Used in Deployment

πŸ“„ deployment.yaml line 27

spec:
  template:
    spec:
      serviceAccountName: metric-adapter  # <-- (B) the privileged ServiceAccount in use
      containers:
        - name: metric-adapter
          image: docker.io/gocrane/metric-adapter:v0.10.0

The metric-adapter pod is now running with cluster-admin equivalent privileges.

⚠️ Realistic Threat Scenarios

Scenario Description
Pod Compromise β†’ Cluster Takeover If the metric-adapter pod is compromised via a vulnerability, the attacker gains full control of the cluster.
Secrets Exfiltration Attacker can access all secrets in all namespaces, including kube-system.
RBAC Abuse The attacker can grant themselves or other pods more privileges, create backdoors, or modify policies.
Workload Tampering Delete or modify other workloads, inject malicious deployments, or affect critical services.
Lateral Movement Pivot into internal services such as Prometheus, databases, or private applications.

βœ… Recommendations

  1. Replace the wildcard-based ClusterRole with a least privilege policy:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: metric-adapter
rules:
  - apiGroups: ["custom.metrics.k8s.io"]
    resources: ["*"]
    verbs: ["get", "list", "watch"]

  1. If possible, switch from a ClusterRole to a namespace-scoped Role and use RoleBinding instead.

  2. Audit and remove duplicate or unnecessary RBAC definitions. Add CI security checks (e.g., using Polaris, OPA Gatekeeper, or kubeaudit).

🚨 Suggested Action

This is a critical security vulnerability where a single container exploit could lead to full cluster compromise.
It is strongly recommended that the team opens a pull request (PR) immediately to address this misconfiguration.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions