Advisories for Golang/Github.com/Rancher/Local-Path-Provisioner package

A malicious user with permission to edit the local-path-config ConfigMap in the local-path-storage namespace can manipulate the helperPod.yaml template used by rancher/local-path-provisioner. The helperPod.yaml template is loaded by the provisioner and used to create HelperPods during PVC provisioning and cleanup operations. However, the template is not sufficiently validated before use. Security-sensitive fields such as securityContext.privileged, hostPath volumes, and Linux capabilities can be injected into the template. Example malicious HelperPod template: …

A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories. Example: apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: > {"apiVersion":"storage.k8s.io/v1","kind":"StorageClass","metadata":{"annotations":{},"name":"local-path"},"provisioner":"rancher.io/local-path","reclaimPolicy":"Delete","volumeBindingMode":"WaitForFirstConsumer"} storageclass.kubernetes.io/is-default-class: 'true' name: local-path provisioner: rancher.io/local-path reclaimPolicy: Delete parameters: pathPattern: "{{ .PVC.Namespace }}/{{ .PVC.Name }}/../../../../../etc/new-dir" volumeBindingMode: WaitForFirstConsumer Results in the PersistentVolume to target /etc/new-dir: This produces a PersistentVolume that points to /etc/new-dir, instead …