Search Icon
Register

Breaking the Bulkhead: Demystifying Cross-Namespace Reference Vulnerabilities in Kubernetes Operators

Andong Chen (Zhejiang University), Ziyi Guo (Northwestern University), Zhaoxuan Jin (Northwestern University), Zhenyuan Li (Zhejiang University), Yan Chen (Northwestern University)

Kubernetes Operators, automated tools designed to manage application lifecycles within Kubernetes clusters, extend the functionalities of Kubernetes, and reduce the operational burden on human engineers. While Operators significantly simplify DevOps workflows, they introduce new security risks. In particular, Kubernetes enforces namespace isolation to separate workloads and limit user access, ensuring that users can only interact with resources within their authorized namespaces. However, Kubernetes Operators often demand elevated privileges and may interact with resources across multiple namespaces. This introduces a new class of vulnerabilities, the Cross-Namespace Reference Vulnerability. The root cause lies in the mismatch between the declared scope of resources and the implemented scope of the Operator’s logic, resulting in Kubernetes being unable to properly isolate the namespace. Leveraging such vulnerability, an adversary with limited access to a single authorized namespace may exploit the Operator to perform operations affecting other unauthorized namespaces, causing Privilege Escalation and further impacts.

To the best of our knowledge, this paper is the first to systematically investigate Kubernetes Operator attacks. We present Cross-Namespace Reference Vulnerability with two strategies, demonstrating how an attacker can bypass namespace isolation. Through large-scale measurements, we found that over 14% of Operators in the wild are potentially vulnerable.
Our findings have been reported to the relevant developers, resulting in 8 confirmations and 7 CVEs by the time of submission, affecting vendors including the inventor of Kubernetes - Google and the inventor of Operator - Red Hat, highlighting the critical need for enhanced security practices in Kubernetes Operators. To mitigate it, we open-source the static analysis suite and propose concrete mitigation to benefit the ecosystem.

Paper

View More Papers

Towards Bridging the Telemetry Gap for Security Applications in...

Haohuang Wen (The Ohio State University and SE-RAN.ai), Vinod Yegneswaran (SRI and SE-RAN.ai), Phillip Porras (SRI and SE-RAN.ai), Ashish Gehani (SRI and SE-RAN.ai), Prakhar Sharma (SRI and SE-RAN.ai), Zhiqiang Lin (The Ohio State University and SE-RAN.ai)

Read More

Cross-Boundary Mobile Tracking: Exploring Java-to-JavaScript Information Diffusion in WebViews

Sohom Datta (North Carolina State University), Michalis Diamantaris (Technical University of Crete), Ahsan Zafar (North Carolina State University), Junhua Su (North Carolina State University), Anupam Das (North Carolina State University), Jason Polakis (University of Illinois Chicago), Alexandros Kapravelos (North Carolina State University)

Read More

Rounding-Guided Backdoor Injection in Deep Learning Model Quantization

Xiangxiang Chen (Zhejiang University), Peixin Zhang (Singapore Management University), Jun Sun (Singapore Management University), Wenhai Wang (Zhejiang University), Jingyi Wang (Zhejiang University)

Read More