Security advisory

Edit online

  1. NodeCompromise-01: Compromised Node Propagation Risk In Red Hat OpenShift, a worker node is a highly privileged part of the cluster.
    If a worker node becomes compromised—whether through:
    • a privilege-escalation exploit in a container
    • a kernel or driver vulnerability,
    • a misconfigured privileged pod, or
    • direct SSH/root access misuse

    Then the attacker gains control over the node’s host operating system leading to manipulation of local device data, SpyreNodeState, metrics, and possibly operator-managed components — causing cluster-wide security impact.

    Mitigation
    • Harden nodes: OS patching, reduce attack surface, disable unnecessary host-level services
    • Use node-level attestation and protect the SpyreNodeState updates (signed payloads or verify the source)
    • Limit node-local credentials and avoid giving node agents broad cluster-wide write permissions
    • Monitor host integrity (file integrity monitoring, EDR) and isolate suspicious nodes automatically
    • Use network segmentation to limit node → control-plane attack surfaces
  2. Threat Workload-EoP-04 - Privilege Escalation or Host Compromise via Custom Workload Deployment
    OpenShift clusters allow teams to deploy custom workloads—including Pods, Deployments, Jobs, and CronJobs. If not properly regulated, users may deploy workloads that:
    • Run with elevated privileges (privileged: true, CAP_SYS_ADMIN)
    • Mount the host filesystem (hostPath: to /, /etc/kubernetes/, /var/lib/kubelet)
    • Access host namespaces (hostNetwork, hostPID, hostIPC)
    • Bypass filesystem protections (disable readOnlyRootFilesystem)
    • Access host devices (/dev/*, device plugins, VFIO)
    • Run untrusted or unsigned images

    Such configurations create a direct path to container escape, node compromise, and ultimately control-plane impact, especially when combined with kernel exploits or misconfigured security contexts.

    Mitigation
    • Limit RBAC permissions for developers; use dedicated namespaces with restricted roles
    • Deny workloads running as root or with unrestricted Linux capabilities
    • Apply SELinux/AppArmor profiles and seccomp restrictions