[英]Can one namespace with compromised log4j versions deployed "infect" an entire Kubernetes cluster?
I am dealing with a fairly simple question.我正在处理一个相当简单的问题。
Assume we have a Kubernetes cluster and several namespaces (say, default, monitoring, A, B, C).假设我们有一个 Kubernetes 集群和几个命名空间(例如,默认、监控、A、B、C)。 These namespaces are logically separated from one another via NetworkPolicies.
这些命名空间通过 NetworkPolicies 在逻辑上彼此分离。 That means, A cannot see what is going on in default, monitoring, B, C.
这意味着,A 看不到默认情况下发生了什么,监控,B,C。 Analogous things can be said about B and C.
关于 B 和 C 可以说类似的事情。
However, monitoring and default can see what is going on in all namespaces.但是,监视和默认值可以查看所有命名空间中发生的情况。
Now someone deploys some "rogue resources" in one of the namespaces A, B, and C, say, A. Here I mean a deployment with a compromised version of log4j.现在有人在命名空间 A、B 和 C 之一中部署了一些“流氓资源”,比如 A。这里我的意思是使用 log4j 的受损版本进行部署。 Of course, that is bad for everything in namespace A.
当然,这对命名空间 A 中的所有内容都是不利的。
My question is now: Does that also affect negatively resources in default, monitoring, B, C or are they completely unharmed?我现在的问题是:这是否也会对默认、监控、B、C 中的资源产生负面影响,还是它们完全没有受到伤害?
Namespaces are a way to organize clusters into virtual sub-clusters — they can be helpful when different teams or projects share a Kubernetes cluster.命名空间是一种将集群组织成虚拟子集群的方式——当不同的团队或项目共享一个 Kubernetes 集群时,它们会很有帮助。 Any number of namespaces are supported within a cluster, each logically separated from others but with the ability to communicate with each other .
集群内支持任意数量的命名空间,每个命名空间在逻辑上彼此分离,但能够相互通信。
So if any of the namespace is compromised or has an infected component which is exploited to allow say for example a RCE or a reverse shell, the compromised namespace is now acting like a gateway for the remote attacker and can be easily used as a launch pad against other resources not only in the same namespace but in other namespaces as well.因此,如果任何命名空间被破坏或具有被利用以允许例如 RCE 或反向 shell 的受感染组件,则被破坏的命名空间现在充当远程攻击者的网关,并且可以轻松用作启动板不仅针对同一命名空间中的其他资源,而且还针对其他命名空间中的其他资源。 So yes it negatively impacts and increases the RISK for other namespaces.
所以是的,它会对其他命名空间产生负面影响并增加风险。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.