devtron icon indicating copy to clipboard operation
devtron copied to clipboard

Published 20 hours ago verified publisher icon devtron-labs

Bug: Multiple vulnerabilities detected on devtroncd & argo namespace

Open wali97 opened this issue 2 years ago • 1 comments

📜 Description

I've deployed devtron v0.6.8 over a private GKE cluster and enabled the gke security posture feature from GCP and after scanning it showed more than 1k+ vulnerabilites in devtroncd namespace itself and out of which 600 are medium,150 high & 15 critical vulnerabilites which imposes a major threat to the overall cluster & due to this it wouldn't be a good option to deploy devtron in prod envt.

👟 Reproduction steps

Configure GKE cluster and deploy devtron over it and turn the security posture feature on.

👍 Expected behavior

No or very less vulnerabilities must've occured.

👎 Actual Behavior

Attached is the overview of the vulnerabilites found.

image

☸ Kubernetes version

GKE v1.23

Cloud provider

GCP

🌍 Browser

Chrome

🧱 Your Environment

No response

✅ Proposed Solution

To fix this,update the library packages being used in devtron and disabling pod containers to run as root in argo workflow-controller pod. image

👀 Have you spent some time to check if this issue has been raised before?

  • [X] I checked and didn't find any similar issue

🏢 Have you read the Code of Conduct?

wali97 avatar Dec 07 '22 08:12 wali97

Hi @wali97 Thanks for reporting the issue. We have a responsible disclosure policy at https://github.com/devtron-labs/devtron#bug-vulnerability-reporting.

Also the it run in privilege mode because it uses DIND which requires privilege access. It is the one which is used by Jenkins agent also and provided by other providers. There is also great blog by applatix team (original creator team of argo workflows) on DIND at https://applatix.com/case-docker-docker-kubernetes-part-2/

Though they are considered not root-safe they are considered valuable in the trusted workload environment. You can read more about it at https://brauner.io/2019/02/12/privileged-containers.html

Devtron installation is not multi-tenant, its installed within your infrastructure running workloads approved by your team it is running trusted workload. Additionally these are temporary isolated nodes and therefore can be further hardened.

Additionally we are also exploring few mechanisms to do it without DIND so that we dont need privileged access for eg migrating to emissary. Can you please open an issue for migration to emissary?.

Please send us the details of the vulnerabilities at [email protected].

pghildiyal avatar Dec 08 '22 14:12 pghildiyal

Resolved by #4839

prakarsh-dt avatar Aug 05 '24 08:08 prakarsh-dt