Kubernetes Ingress Controller Vulnerabilities
In the developed project of the Kubernetes Ingress Controller Ingress-Nninx, three vulnerabilities have been discovered. These vulnerabilities allow attackers to gain access to the default configurations of the Ingress object settings, which store important data including accounting data for contacting Kubernetes servers. By exploiting these vulnerabilities, attackers can obtain privileged access to the cluster. However, it is important to note that these issues only affect the Ingress controller Ingress-ninx from the Kubernetes project and do not impact the controller kubernetes-ingress developed by the nginx developers.
The Ingress-controller acts as a gateway and is used in Kubernetes to organize access from the external network to the cluster services. The Ingress-Nginx controller, which is based on the Nginx server, is the most popular choice for organizing clusters due to its ability to route external requests and load balance. The Kubernetes project provides various controllers including AWS, GCE, GCE, and Nginx. It is important to note that the Nginx controller is not associated in any way with the kubernetes-ingress controller, which is supported by F5/Nginx.
The vulnerabilities CVE-2023-5043 and CVE-2023-5044 allow an attacker with the rights of the Ingress controller to manipulate the parameters “nginx.ingress.kubernetes.io/configuration-snippet” and “nginx.