Add a warning about the possibility of executing remote code using kubectl config

[savitharaghunathan]

This is a Feature Request

Add a warning about the possibility of remote code execution to kubectl config concepts and/or tasks page

If possible, please add more documentation to https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#config

Background reading: https://banzaicloud.com/blog/kubeconfig-security/

Thanks, @tabbysable for bringing this issue to attention.

What would you like to be added
Warning or more documentation around possible kubectl config options

Why is this needed
This would help cluster admins to be aware of the possibility of a certain attack vector (remote code exec) using kubectl config

/assign @gracenng

[savitharaghunathan]

/sig security
/triage accepted

[gracenng]

Hello, I have a couple clarifying questions from my end:

• I’m lost in the weeds looking for the kubectl config Github location, I figured it’d be around here , where do I go to edit the kubectl config reference ?
• Is there an example of warnings in the reference site that I could follow in terms of formatting ?
• The Banzai article mentions adding warnings in Go SDK as well. I’m not too familiar with Go and this might be out of our scope, but where would I make the PR to Go SDK?
• Silly goose question but remote code injection is the same as shell injection right?

This will be my first PR in the project, all inputs are much appreciated ❤️️

[tabbysable]

For the last question... getting to really specific definitions of terms like those gets super complicated. :-)

In this case I wouldn't call it "injection" at all, because to me that implies a normal thing is happening and you are unexpectedly introducing your code where your code does not belong. SQL injection provides a great example of this usage: where you would put a datum such as your name, instead you put SQL code, and 🎉 your SQL code runs, and that's SQL injection.

I think I would just call it "code execution" or "command execution" or "shell command execution". They'll all mean the same thing in this context, and are all accurate, just depends on your writing style.

In general with exec credential provider, I wouldn't call it 'remote' because it's not always remote: the command execution happens wherever the kubeconfig is used. that could be local to your machine (e.g. somebody tricks you into running a kubeconfig that runs commands on your machine) or remote (e.g. you fool an automated system into running a kubeconfig that lets you run commands remotely) depending on the context. So you might say that Server Product Foo has a Remote Code Execution flaw due to handling untrusted kubeconfig files, but the feature itself is more general than that, it's just command or code execution.

please keep in touch and thanks for helping!

[gracenng]

Hello! I created a PR here for the "Cluster Access" pages in Task and Concept. Still havent able to find the Github page for the generated reference page

PTAL. Specifically:

• Should the warning come before or after the note?
• Would it be useful/ appropriate to inlcude the Bonzai Cloud article in the warning? A simple search of "kubeconfig code execution" does bring it up.

Thanks! ❤️

[savitharaghunathan]

Hello! I created a PR here for the "Cluster Access" pages in Task and Concept. Still havent able to find the Github page for the generated reference page

PTAL. Specifically:

* Should the `warning` come before or after the `note`?

@sftim @kbhawkey - is there any order of placement for adding notes and warnings?

* Would it be useful/ appropriate to inlcude the Bonzai Cloud article in the warning? A simple search of "kubeconfig code execution" does bring it up.

I am not sure about the right course of action here. If the link becomes unavailable then it will be a maintenance overhead. @tabbysable WDYT?

[kbhawkey]

👀

[kbhawkey]

Hi. @gracenng , the kubectl reference is auto-generated from the kubectl command descriptions/content.

[tabbysable]

* Should the `warning` come before or after the `note`?

I think it looks nice right now, with the warning after the note.

* Would it be useful/ appropriate to inlcude the Bonzai Cloud article in the warning? A simple search of "kubeconfig code execution" does bring it up.

I agree this is a complex question: it would be nice to offer further information, but linking to external resources we don't control gives the danger of the link going away in the future.
@kubernetes/sig-docs-en-reviews do you have any general guidance on external links in k8s documentation?