Summary
Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the Kubernetes pod specs for runtime and builder pods. The merge logic propagated hostNetwork, hostPID, hostIPC, container
privileged, and serviceAccountName from the user-supplied podspec with no filtering, and Environment.Validate performed no security-relevant checks on these fields.
Details
A namespace user with create/update on environments.fission.io could produce privileged, host-network, hostPID pods in the Fission function or builder namespace. Because the Helm chart created the fission-function and
fission-builder namespaces with no pod-security.kubernetes.io/enforce labels, Kubernetes Pod Security Admission did not catch the escape either.
From a host-network privileged pod with hostPID, the attacker could nsenter into the host, read cloud-metadata credentials, access the container-runtime socket, pivot to other namespaces, and fully compromise the node.
Impact
environments.fission.io create/update RBAC is escalated to node compromise — host filesystem and network access on the scheduling node, and from there potential cluster-wide takeover.
Fix
Fixed in #3391 and released in v1.24.0. Denylist at admission (the primary defence) plus belt-and-braces at the merge layer.
Admission denylist (pkg/apis/core/v1/podspec_safety.go::ValidatePodSpecSafety), called from Environment.Validate for both Runtime.PodSpec and Builder.PodSpec:
- pod-level:
HostNetwork, HostPID, HostIPC, ServiceAccountName / DeprecatedServiceAccount override, hostPath volumes;
- per-container:
SecurityContext.Privileged=true, SecurityContext.AllowPrivilegeEscalation=true, dangerous capabilities (SYS_ADMIN, NET_ADMIN, SYS_PTRACE, SYS_MODULE, DAC_READ_SEARCH, DAC_OVERRIDE).
Update-bypass closed: the Environment validating-webhook marker is extended from verbs=create to verbs=create;update (chart and envtest manifests aligned).
Merge-layer belt-and-braces (pkg/executor/util/merge.go): even if admission is bypassed (failurePolicy=Ignore or stale pre-webhook objects), the denylisted pod-level fields are stripped and per-container dangerous settings are
sanitized before the merge (with SecurityContext deep-copied first so cached informer objects are not mutated). Legitimate operator hardening via the chart's pod-level securityContext (fsGroup, runAsNonRoot, runAsUser) still flows
through.
Behavioural change
Environments that explicitly set any denylisted field are now rejected at admission. There is no legitimate Fission use case — these primitives exist for cluster operators, not Environment authors.
This is the same root cause and fix as GHSA-wmgg-3p4h-48x7.
References
Summary
Fission's
EnvironmentCRD exposesspec.runtime.podSpecandspec.builder.podSpec, which are merged into the Kubernetes pod specs for runtime and builder pods. The merge logic propagatedhostNetwork,hostPID,hostIPC, containerprivileged, andserviceAccountNamefrom the user-supplied podspec with no filtering, andEnvironment.Validateperformed no security-relevant checks on these fields.Details
A namespace user with
create/updateonenvironments.fission.iocould produce privileged, host-network, hostPID pods in the Fission function or builder namespace. Because the Helm chart created thefission-functionandfission-buildernamespaces with nopod-security.kubernetes.io/enforcelabels, Kubernetes Pod Security Admission did not catch the escape either.From a host-network privileged pod with hostPID, the attacker could
nsenterinto the host, read cloud-metadata credentials, access the container-runtime socket, pivot to other namespaces, and fully compromise the node.Impact
environments.fission.iocreate/update RBAC is escalated to node compromise — host filesystem and network access on the scheduling node, and from there potential cluster-wide takeover.Fix
Fixed in #3391 and released in v1.24.0. Denylist at admission (the primary defence) plus belt-and-braces at the merge layer.
Admission denylist (
pkg/apis/core/v1/podspec_safety.go::ValidatePodSpecSafety), called fromEnvironment.Validatefor bothRuntime.PodSpecandBuilder.PodSpec:HostNetwork,HostPID,HostIPC,ServiceAccountName/DeprecatedServiceAccountoverride, hostPath volumes;SecurityContext.Privileged=true,SecurityContext.AllowPrivilegeEscalation=true, dangerous capabilities (SYS_ADMIN,NET_ADMIN,SYS_PTRACE,SYS_MODULE,DAC_READ_SEARCH,DAC_OVERRIDE).Update-bypass closed: the
Environmentvalidating-webhook marker is extended fromverbs=createtoverbs=create;update(chart and envtest manifests aligned).Merge-layer belt-and-braces (
pkg/executor/util/merge.go): even if admission is bypassed (failurePolicy=Ignoreor stale pre-webhook objects), the denylisted pod-level fields are stripped and per-container dangerous settings aresanitized before the merge (with
SecurityContextdeep-copied first so cached informer objects are not mutated). Legitimate operator hardening via the chart's pod-levelsecurityContext(fsGroup, runAsNonRoot, runAsUser) still flowsthrough.
Behavioural change
Environments that explicitly set any denylisted field are now rejected at admission. There is no legitimate Fission use case — these primitives exist for cluster operators, not Environment authors.
This is the same root cause and fix as GHSA-wmgg-3p4h-48x7.
References