Summary
Fission's Container Executor path lets a tenant supply Function.spec.podspec directly; the executor merges it into the executor-built podspec and creates a Deployment whose pods run the user's container image.
Details
Two flaws compounded:
pkg/apis/core/v1/validation.go::FunctionSpec.Validate only checked that spec.PodSpec != nil when executorType: container; it did not inspect the content of spec.PodSpec.
pkg/executor/util/merge.go::MergePodSpec unconditionally forwarded hostPID, hostNetwork, hostIPC, hostPath volumes, serviceAccountName, and container privileged into the Deployment spec via the container-executor sink
(pkg/executor/executortype/container/deployment.go::getDeploymentSpec).
A tenant with only functions.fission.io/create could deploy a Function with a crafted podspec that mounted the host root filesystem and shared host namespaces. The executor — running under its high-privilege SA, which holds
deployments/create on the function namespace — created that Deployment on the tenant's behalf, turning Function-create into effective deployments/create with arbitrary pod-security configuration.
This is the Function-CRD sibling of GHSA-gx55-f84r-v3r7 / GHSA-wmgg-3p4h-48x7, with a lower attack threshold: regular function developers typically hold functions/create but not environments/create.
Impact
A tenant with only functions.fission.io/create is escalated to node escape via a privileged, host-namespace pod scheduled by the executor.
Fix
Fixed in #3391 and released in v1.24.0.
FunctionSpec.Validate now calls ValidatePodSpecSafety("Function.spec.podspec", spec.PodSpec) after the existing spec.PodSpec == nil check.
- The Function validating webhook is already registered on
verbs=create;update, so it picks up the new validation with no marker change.
- The same merge-layer strip and per-container sanitize used for the Environment path applies here, since the container-executor sink calls
util.MergePodSpec.
See GHSA-gx55-f84r-v3r7 for the detailed fix.
Behavioural change
Functions whose spec.podspec sets host namespaces, hostPath volumes, container privileged/allowPrivilegeEscalation, dangerous Linux capabilities, or a serviceAccountName override are now rejected at admission. Legitimate
container-executor functions that set image, command, args, env, resources, nodeSelector, tolerations, affinity, non-hostPath volumes, or volumeMounts are unaffected.
References
Summary
Fission's Container Executor path lets a tenant supply
Function.spec.podspecdirectly; the executor merges it into the executor-built podspec and creates a Deployment whose pods run the user's container image.Details
Two flaws compounded:
pkg/apis/core/v1/validation.go::FunctionSpec.Validateonly checked thatspec.PodSpec != nilwhenexecutorType: container; it did not inspect the content ofspec.PodSpec.pkg/executor/util/merge.go::MergePodSpecunconditionally forwardedhostPID,hostNetwork,hostIPC, hostPath volumes,serviceAccountName, and containerprivilegedinto the Deployment spec via the container-executor sink(
pkg/executor/executortype/container/deployment.go::getDeploymentSpec).A tenant with only
functions.fission.io/createcould deploy a Function with a crafted podspec that mounted the host root filesystem and shared host namespaces. The executor — running under its high-privilege SA, which holdsdeployments/createon the function namespace — created that Deployment on the tenant's behalf, turning Function-create into effectivedeployments/createwith arbitrary pod-security configuration.This is the Function-CRD sibling of GHSA-gx55-f84r-v3r7 / GHSA-wmgg-3p4h-48x7, with a lower attack threshold: regular function developers typically hold
functions/createbut notenvironments/create.Impact
A tenant with only
functions.fission.io/createis escalated to node escape via a privileged, host-namespace pod scheduled by the executor.Fix
Fixed in #3391 and released in v1.24.0.
FunctionSpec.Validatenow callsValidatePodSpecSafety("Function.spec.podspec", spec.PodSpec)after the existingspec.PodSpec == nilcheck.verbs=create;update, so it picks up the new validation with no marker change.util.MergePodSpec.See GHSA-gx55-f84r-v3r7 for the detailed fix.
Behavioural change
Functions whose
spec.podspecsets host namespaces, hostPath volumes, containerprivileged/allowPrivilegeEscalation, dangerous Linux capabilities, or aserviceAccountNameoverride are now rejected at admission. Legitimatecontainer-executor functions that set
image,command,args,env,resources,nodeSelector,tolerations,affinity, non-hostPathvolumes, orvolumeMountsare unaffected.References