+ "details": "kyverno’s apiCall servicecall helper implicitly injects `Authorization: Bearer ...` using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. because `context.apiCall.service.url` is policy-controlled, this can send the kyverno serviceaccount token to an attacker-controlled endpoint (confused deputy).\n\nnamespaced policies are blocked from servicecall usage by the namespaced `urlPath` gate in `pkg/engine/apicall/apiCall.go`, so this report is scoped to ClusterPolicy and global context usage.\n\n## attacker model\n\nthe attacker can create or update a ClusterPolicy (or create a GlobalContextEntry) which uses `context.apiCall.service.url` and can choose the request URL and headers. a cross-boundary framing for real deployments is gitops: if the policy repo/controller is compromised, the ClusterPolicy/global context entry becomes untrusted input to kyverno.\n\n## relevant links\n\n- repository: https://github.com/kyverno/kyverno\n- commit: 17aeb52337fd66adb0c8126213ba076612a287a7\n- callsite (token injection): https://github.com/kyverno/kyverno/blob/17aeb52337fd66adb0c8126213ba076612a287a7/pkg/engine/apicall/executor.go#L150-L173\n- namespaced policy gate (servicecall blocked): https://github.com/kyverno/kyverno/blob/17aeb52337fd66adb0c8126213ba076612a287a7/pkg/engine/apicall/apiCall.go#L67-L83\n\n## root cause\n\nin `(*executor).addHTTPHeaders`, kyverno reads the serviceaccount token from `/var/run/secrets/kubernetes.io/serviceaccount/token` and injects it when the outgoing request has no Authorization header:\n\n```go\nif req.Header.Get(\"Authorization\") == \"\" {\n token := a.getToken()\n if token != \"\" {\n req.Header.Add(\"Authorization\", \"Bearer \"+token)\n }\n}\n```\n\n## proof of concept\n\nthe attached `poc.zip` is a reproducible cluster PoC. it uses an in-cluster HTTP receiver which logs the Authorization header it receives. the PoC does not print token bytes; it only checks that the received header is non-empty and not equal to the negative control.\n\nrun (one command):\n\n```bash\nunzip poc.zip -d poc\ncd poc\nmake test\n```\n\ncanonical (expected: implicit token injection):\n\n```bash\nunzip poc.zip -d poc\ncd poc\nmake canonical\n```\n\nexpected output includes:\n\n```\n[CALLSITE_HIT]: executor.addHTTPHeaders Authorization==\"\" -> read_serviceaccount_token=true\n[PROOF_MARKER]: authorization_header_injected=true token_nonempty=true\n```\n\ncontrol (expected: explicit Authorization header disables auto-injection):\n\n```bash\nunzip poc.zip -d poc\ncd poc\nmake control\n```\n\nexpected output includes:\n\n```\n[CALLSITE_HIT]: executor.addHTTPHeaders Authorization!=\"\" -> autoinject_skipped=true\n[NC_MARKER]: authorization_header_injected=false\n```\n\noptional: the canonical run may also print an `[RBAC]: ...` line using `kubectl auth can-i` with the exfiltrated token, to show concrete privileges without exposing the token.\n\n## impact\n\ntoken exfiltration: the kyverno controller serviceaccount token is sent to a policy-controlled endpoint. impact depends on the rbac bound to that serviceaccount in the target deployment.\n\n## recommended fix\n\ndo not auto-inject the kyverno serviceaccount token into policy-controlled servicecall requests. require explicit Authorization configuration, or enforce a strict allowlist of destinations where credentials may be attached and document the behavior.\n\n## workarounds\n\n- avoid using servicecall to arbitrary urls in policies.\n- set an explicit Authorization header in servicecall policies to prevent implicit token injection.\n\n\n[poc.zip](https://github.com/user-attachments/files/25352288/poc.zip)\n[PR_DESCRIPTION.md](https://github.com/user-attachments/files/25352289/PR_DESCRIPTION.md)\n\noleh",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments