Summary
A low-privilege developer who could create a KubernetesWatchTrigger (KWT) in their own namespace was able to establish a persistent surveillance channel over any other namespace.
Details
Two independent flaws compounded:
pkg/kubewatcher/kubewatcher.go::createKubernetesWatch used w.Spec.Namespace (user-controlled) directly as the Watch target without checking it against w.Namespace (the KWT's own namespace). kubewatcher established the Watch
using its cluster-scoped service account and serialized every Pod/Service/Job change event as full JSON over HTTP POST to the attacker's function.
- The validating webhook (
pkg/webhook/kuberneteswatchtrigger.go) registered verbs=create only, so update/patch requests bypassed validation entirely.
A separate leak: an empty spec.namespace resolved to all namespaces via the controller's default, letting an attacker omit the field to surveil the entire cluster.
Impact
A tenant with kuberneteswatchtriggers.fission.io/create could continuously receive full event payloads for Pods, Services, and Jobs in any namespace — a persistent cross-tenant surveillance channel requiring no additional privileges.
Fix
Fixed in #3379 and released in v1.24.0.
- The validating webhook marker is extended to
verbs=create;update.
Validate rejects KubernetesWatchTrigger.spec.namespace != metadata.namespace.
- A controller guard in
createKubernetesWatch rejects cross-namespace targets that bypass admission and coerces an empty Spec.Namespace to the trigger's own namespace.
Behavioural change
KubernetesWatchTriggers with an unset spec.namespace now watch only their own namespace instead of all namespaces. Anyone relying on the previous all-namespaces behaviour must create a separate KWT per namespace.
References
Summary
A low-privilege developer who could create a
KubernetesWatchTrigger(KWT) in their own namespace was able to establish a persistent surveillance channel over any other namespace.Details
Two independent flaws compounded:
pkg/kubewatcher/kubewatcher.go::createKubernetesWatchusedw.Spec.Namespace(user-controlled) directly as the Watch target without checking it againstw.Namespace(the KWT's own namespace).kubewatcherestablished the Watchusing its cluster-scoped service account and serialized every Pod/Service/Job change event as full JSON over HTTP POST to the attacker's function.
pkg/webhook/kuberneteswatchtrigger.go) registeredverbs=createonly, soupdate/patchrequests bypassed validation entirely.A separate leak: an empty
spec.namespaceresolved to all namespaces via the controller's default, letting an attacker omit the field to surveil the entire cluster.Impact
A tenant with
kuberneteswatchtriggers.fission.io/createcould continuously receive full event payloads for Pods, Services, and Jobs in any namespace — a persistent cross-tenant surveillance channel requiring no additional privileges.Fix
Fixed in #3379 and released in v1.24.0.
verbs=create;update.ValidaterejectsKubernetesWatchTrigger.spec.namespace != metadata.namespace.createKubernetesWatchrejects cross-namespace targets that bypass admission and coerces an emptySpec.Namespaceto the trigger's own namespace.Behavioural change
KubernetesWatchTriggers with an unset
spec.namespacenow watch only their own namespace instead of all namespaces. Anyone relying on the previous all-namespaces behaviour must create a separate KWT per namespace.References