gcloud-gke-sandbox-disabled: GKE Cluster Not Using Sandbox with gVisor

日期: 2025-08-01 | 影响软件: gcloud-gke | POC: 已公开

漏洞描述

Ensure that your Google Kubernetes Engine (GKE) clusters are configured to use GKE Sandbox with gVisor to provide an additional layer of security isolation for containers. GKE Sandbox uses gVisor, a container runtime sandbox, to help isolate containers and protect the underlying host kernel.

PoC代码[已公开]

id: gcloud-gke-sandbox-disabled

info:
  name: GKE Cluster Not Using Sandbox with gVisor
  author: princechaddha
  severity: medium
  description: |
    Ensure that your Google Kubernetes Engine (GKE) clusters are configured to use GKE Sandbox with gVisor to provide an additional layer of security isolation for containers. GKE Sandbox uses gVisor, a container runtime sandbox, to help isolate containers and protect the underlying host kernel.
  impact: |
    Without GKE Sandbox enabled, containers may have direct access to host kernel system calls, potentially increasing security risks and vulnerability to container escape attacks.
  remediation: |
    Enable GKE Sandbox for your clusters using the 'gcloud container clusters create' command with --sandbox=type=gvisor flag or modify existing node pools to use gVisor sandbox.
  reference:
    - https://cloud.google.com/kubernetes-engine/docs/how-to/sandbox-pods
    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/GKE/enable-gke-sandbox-with-gvisor.html
  tags: cloud,devops,gcp,gcloud,gke,kubernetes,security,sandbox,gvisor,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let cluster of iterate(template.clusters)){
      cluster = JSON.parse(cluster)
      set("clusterName", cluster.name)
      set("location", cluster.location)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud container clusters list --project $projectId --format="json(name,location)"

    extractors:
      - type: json
        name: clusters
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      gcloud container clusters describe $clusterName --location $location --project $projectId --format="json(nodePools[].config.sandboxConfig.type)"

    matchers:
      - type: word
        words:
          - "null"

    extractors:
      - type: dsl
        dsl:
          - '"GKE cluster " + clusterName + " in " + location + " of project " + projectId + " does not have Sandbox with gVisor enabled"'
# digest: 4a0a0047304502203b8ac0ab6fd9ee42b6a61e47efc33d2b6e5631da71b2d2f8f7d9b8fe2011449d022100b0a23f1e7015bcc891d4717b1cdbf0e053307914a7fabab9b0c16edf485ebae6:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/gcp/gke/gcloud-gke-sandbox-disabled.yaml

相关漏洞推荐