Comments (10)
@JorTurFer I don't think this is a problem, other scalers have also permissions to access various types of metrics.
I get the namespace boundary restriction, though I don't think it is applicable in this specific use case. IMHO
from keda.
Interesting, mind sharing what scenario you have this for system components? How are they impacted when scaling is not happening?
from keda.
We have a real scenario requires this 'cross namespace search' feature
As a platform service provider, we put managed component in one namespace and cx workload in another.
Some features require extra backend services, like our metrics collector.
- When there are pods emit metrics, we need a pod to collect and emit metrics.
- When no user pod enable the metrics flag, we don't need that pod.
Currently the watched resource & scaledobject & the target deployment must stay in the same namespace.
from keda.
@SpiritZhou for the proposed options, I prefer option 2.
And should the 'workload' include more resource, not only the pods? like deployment, and even CRDs.
from keda.
We discussed limiting or not the scope to the namespace or not, and just to share the reasons behind the limitation, we basically saw a potential vector attack for getting sensible information about workloads running on other namespaces where you could not have access by your own RBAC.
My concerns related with extending the resources you can query or the namespaces have to be authorized by cluster admins somehow or a malicious attacker can use KEDA for getting information about resources which wouldn't be accessible to them.
I see the advantages of supporting this, but we should be aware about how to secure it too
from keda.
@JorTurFer Could you provide more details or some specific scenario regarding the security concern? One of the scenario is that a ScaledObject in namespace A could use a label selector to retrieve the number of resources in namespace B through KEDA. We can explore potential solutions to address this issue.
from keda.
I can start a DDoS attack, adding an attacker pod per victim pod. I can do brute force attacks for receiving information about the pods in the cluster, for example, I can get information about if the cluster uses an specific service I know is vulnerable querying about its common labels, and then start an attack based on that specific vulnerability.
An example of this, let's say that cert-manager has a know vulnerability in the version 1.12.0, I can use the fact of cert-manager chart sets some specific labels to detect which version is deployed in the cluster just adding a selector like:
app.kubernetes.io/instance=cert-manager,helm.sh/chart=cert-manager-v1.12.0
.
This is a potential risk IMHO
from keda.
I can start a DDoS attack, adding an attacker pod per victim pod. I can do brute force attacks for receiving information about the pods in the cluster, for example, I can get information about if the cluster uses an specific service I know is vulnerable querying about its common labels, and then start an attack based on that specific vulnerability.
An example of this, let's say that cert-manager has a know vulnerability in the version 1.12.0, I can use the fact of cert-manager chart sets some specific labels to detect which version is deployed in the cluster just adding a selector like:
app.kubernetes.io/instance=cert-manager,helm.sh/chart=cert-manager-v1.12.0
. This is a potential risk IMHO
Would disabling the selector function when enabling access to other namespaces avoid this security issue?
from keda.
Would disabling the selector function when enabling access to other namespaces avoid this security issue?
I don't get the point, sorry, do you mean just returning the amount of pods running on a given namespace? I think that it can be exploitable too, I can deploy a DDoS attacker inside the cluster, scaling based on the application instances. IMHO we shouldn't break the namespace boundary, but I won't block this if other folks agree with it.
I can be overthinking the issue tbh, maybe a flag (disable as default) to enable this by cluster admins is enough, as they would be aware about the risk 🤷
@tomkerkhove @zroubalik ?
from keda.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.
from keda.
Related Issues (20)
- Container app doesn't scale down if it contains a scale rule for a queue that doesn't exist HOT 2
- KedaProvider GetExternalMetric can return `nil,nil` and cause nil pointer reference
- Hashicorp vault auth allow tokens directly set in TriggerAuthentication HOT 2
- Hashicorp vault auth fails using Pki HOT 3
- Remove unused variables in IBM MQ scaler
- ActiveMQ Artemis Scalar: ScaledJob not scaling correctly HOT 1
- 0->1 scale up does not work due to circular dependency HOT 2
- NATS JetStream doesn't detect a leader change
- create ScaledObject when triggers type is prometheus metricType is Value err HOT 10
- Extend Prometheus Scaler to populate the namespace field by reference
- Release: v2.15.1 HOT 1
- Pub/Sub Scaler: Inappropriate alignment HOT 1
- Fallback is triggered without fallback.failureThreshold being taken into account
- ScaledObject downscales deployment to 0 replicas outside specified timeframe in cron trigger even when cpu trigger should keep it running HOT 1
- Keda HPA scales up stable replicaset to max when doing canary deployments HOT 2
- Pulsar scaler for non-persistent topics? HOT 4
- Problem enumeration HOT 1
- autoscaling.keda.sh/paused-replicas Automatic scaling was not restored after test deletion in 1.8.2 HOT 13
- Performance Degradation while scaling out large number of Deployments, 700<N<1250 HOT 3
- Incorrect validation of fallback if the metric type is not explicitly configured HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from keda.