Leverage the kruise-daemon pod to list all secrets in the entire cluster

Root

Cause

CVE-2023-30617 is an excessive privilege vulnerability in the kruise-daemon component of OpenKruise, an automated management system for large-scale applications on Kubernetes. Starting in version 0.8.0 and prior to patched versions 1.3.1, 1.4.1, and 1.5.2, the kruise-daemon pod is granted cluster-level get and list permissions for Secrets as part of its default Role [1]. This over-provisioning is not required for the daemon's primary function (ImagePullJob) and creates a vector for lateral movement within the cluster.

Attack

Vector

An attacker who has already gained root privileges on a node where kruise-daemon is running can abuse the daemon pod's ServiceAccount to list all Secrets across the entire cluster [3]. No additional authentication is needed beyond root access to the node. The attacker does not need to compromise the Kubernetes API server directly; instead, they leverage the legitimate credentials mounted inside the daemon container.

Impact

Once Secrets are enumerated, the attacker can extract sensitive values, including the token of the kruise-manager ServiceAccount, which typically has elevated permissions (e.g., the ability to modify Pods) [1]. With those stolen credentials, the attacker can perform actions such as altering existing Pods, creating new ones, or further escalating privileges—effectively gaining cluster-wide control [2][3].

Mitigation

OpenKruise has released fixed versions: v1.3.1 (for the 1.3.x branch), v1.4.1, and v1.5.2 [1]. Users unable to upgrade immediately can apply the workaround: if the ImagePullJob feature is not in use, modify the kruise-daemon-role to remove the cluster-level get and list permissions for Secrets [1][3]. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) as of the publication date.