#kubernetes

### Impact In a Kubernetes environment, Ratify can be configured to authenticate to a private Azure Container Registry (ACR). The Azure workload identity and Azure managed identity authentication providers are configured in this setup. Users that configure a private ACR to be used with the Azure authentication providers may be impacted. Both Azure authentication providers attempt to exchange an Entra ID (EID) token for an ACR refresh token. However, Ratify’s Azure authentication providers did not verify that the target registry is an ACR. This could have led to the EID token being presented to a non-ACR registry during token exchange. EID tokens with ACR access can potentially be extracted and abused if a user workload contains an image reference to a malicious registry. ### Patches The Azure workload identity and Azure managed identity authentication providers are updated to add new validation prior to EID token exchange. Validation relies upon registry domain validation against a ...

We are thrilled to announce the general availability of Red Hat OpenShift Service Mesh 3.0. OpenShift Service Mesh is based on the Istio, Envoy and Kiali projects, and is included with the Red Hat OpenShift Container Platform and Red Hat OpenShift Platform Plus. This article provides an overview of Red Hat OpenShift Service Mesh 3.0, including information for existing OpenShift Service Mesh users on how to migrate.OpenShift Service Mesh 3.0 is based on Istio 1.24 and Kiali 2.4. This release is a major update, using a new operator based on the community sail-operator for managing Istio and depl

TopSec data leak: 7000+ documents expose potential Chinese government surveillance and censorship practices. Learn about the key findings…

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.

The sheer amount of technologies today has created a massive boom in innovation, allowing organizations globally to create software in a variety of ways. While having numerous technologies to create software is advantageous, it also presents a challenge—managing the complexity of using so many tools and technologies.Platform engineering is an emerging practice to help organizations streamline their tools and infrastructure into a single cohesive point, known as an internal developer portal(IDP). The goal is to consolidate technologies, knowledge and best practices to boost overall productivi

### Impact A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. ### Patches A patch for this vulnerability is available in the following Argo CD versions: - v2.13.4 - v2.12.10 - v2.11.13 ### Workarounds There is no workaround other than upgrading. ### References Fixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca

### Impact By design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided by the user when defining the policy. There might be Kubernetes namespaced resources that should not be validated by AdmissionPolicy and by the AdmissionPolicyGroup policies because of their sensitive nature. For example, PolicyReport are namespaced resources that contain the list of non compliant objects found inside of a namespace. See [this section](https://docs.kubewarden.io/explanations/audit-scanner/policy-reports) of Kubewarden’s documentation for more details about PolicyReport resources. An attacker can use either an AdmissionPolicy or an AdmissionPolicyGroup to prevent the creation and update of PolicyReport objects to hide non-compliant resources. Moreover, the same attacker might use a mutating AdmissionPolicy to alter the contents of the PolicyReport created inside of the namespace. ### Patches Starting...

### Impact The [policy group feature](https://docs.kubewarden.io/explanations/policy-groups), added to by the 1.17.0 release, introduced two new types of CRD: ClusterAdmissionPolicyGroup and AdmissionPolicyGroup. The former is cluster wide, while the latter is namespaced. By being namespaced, the AdmissionPolicyGroup has a well constrained impact on cluster resources. Hence, it’s considered safe to allow non-admin users to create and manage these resources in the namespaces they own. Kubewarden policies can be allowed to query the Kubernetes API at evaluation time; these types of policies are called “[context aware](https://docs.kubewarden.io/reference/spec/context-aware-policies)“. Context aware policies can perform list and get operations against a Kubernetes cluster. The queries are done using the ServiceAccount of the Policy Server instance that hosts the policy. That means that access to the cluster is determined by the RBAC rules that apply to that ServiceAccount. The Admission...

### Impact A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. ### Patches A patch for this vulnerability is available in the following Argo CD versions: - v2.13.4 - v2.12.10 - v2.11.13 ### Workarounds There is no workaround other than upgrading. ### References Fixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca

### Impact If the "full-elastic-stack" example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages. ### Patches The example has been updated to fix this in commit db1aa5b867256b0a7bf206544c6981ab068b73dc ### Workarounds Replace ```yaml if .request.requestKind.kind == "Secret" { del(.request.object.data) .request.object.data.redacted = "REDACTED" del(.request.oldObject.data) .request.oldObject.data.redacted = "REDACTED" } ``` In the vector "audit-files-json-parser-and-redaction" step with ```yaml if .request.requestKind.kind == "Secret" { # Redact the secret data del(.request.object.data) .request.object.data.redacted = "REDACTED" del(.request.oldObject.data) .request.oldObject.data.redacted = "REDACTED" # Remove the previously set secret data - N...