Skip to content

Newly added Networkpolicy is wrong #509

@xhejtman

Description

@xhejtman

Hello,

noticed that you added default network policy for admin acces in the latest version 1.5.0. This policy is basicaly useless:

ingress:
  - ports:
      - port: 6379
        protocol: TCP
  - from:
      - namespaceSelector: {}
        podSelector:
          matchLabels:
            control-plane: controller-manager
      - podSelector:
          matchLabels:
            app: app-dragonfly
            app.kubernetes.io/name: dragonfly
            app.kubernetes.io/part-of: dragonfly
    ports:
      - port: 9999
        protocol: TCP

All the attacker needs to do is add the control-plane: controller-manager label to his pod, which then grants access to the admin port. The namespaceSelector should be configured (or at least be configurable) to restrict access to the operator’s namespace only.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions