Intelligence
criticalVulnerabilityActive

Rancher Fleet Multi-Tenant Namespace Isolation Bypass via Unvalidated valuesFrom References

Fleet's Helm Deployer fails to validate cross-namespace secret references in `valuesFrom` configurations, allowing authenticated tenants to read arbitrary secrets and deploy unauthorized cluster-wide resources across tenant boundaries in multi-tenant environments.

S
Sebastion

CVE References

Affected

Rancher/Fleet

Vulnerability Description

This vulnerability exploits insufficient input validation in Fleet's Helm Deployer when processing valuesFrom directives within fleet.yaml, GitRepo, HelmOp, and Bundle resources. The root cause is the absence of namespace-scoped authorization checks when resolving secret and configmap references. An attacker with tenant-level access can craft manifests that reference secrets in other namespaces, bypassing the intended multi-tenant isolation model. The vulnerability affects cluster-wide resource deployment authorization, allowing creation of resources outside normal service account restrictions.

Proof-of-Concept Significance

The PoC demonstrates that validation occurs only at the reference name level, not at the namespace boundary level. Attackers require knowledge of target secret names, namespaces, and key paths—a realistic threat in shared cluster environments where namespace conventions are often predictable (e.g., kube-system, monitoring, secrets). The attack is reliable once preconditions are met: multi-tenant deployment with shared downstream clusters and GitOps-based Fleet configuration.

Detection Guidance

Monitor for: (1) GitRepo, HelmOp, or Bundle resources containing valuesFrom references with namespace paths inconsistent with the creator's assigned namespace; (2) Failed or successful Helm deployments targeting cross-namespace secrets in audit logs; (3) Service account tokens or credentials appearing in unexpected namespaces; (4) Anomalous API calls to GET secrets or GET configmaps from Fleet agent service accounts; (5) Cluster role bindings or service accounts created by tenants with cluster-wide scope. Query Kubernetes audit logs for secretName or name fields in valuesFrom that reference namespaces outside the requesting tenant's scope.

Mitigation Steps

Immediate: Upgrade Fleet to a patched version that implements the new Policy resource for namespace-scoped validation. Short-term: Audit existing GitRepo, HelmOp, and Bundle manifests for cross-namespace valuesFrom references; rotate exposed service account tokens and secrets; apply restrictive RBAC policies limiting Fleet agent service accounts to their assigned namespaces only. Configuration: Enable Pod Security Policies and NetworkPolicies to restrict agent communication; implement audit logging for all secret/configmap access; use Kubernetes admission controllers to reject manifests with cross-namespace references from unauthorized users.

Risk Assessment

Likelihood of exploitation is high in multi-tenant environments, particularly those using GitOps workflows with shared downstream clusters (common in managed Kubernetes and SaaS platforms). Threat actor interest is strong: this enables lateral movement, credential theft, and privilege escalation within shared infrastructure. The attack requires only tenant-level access—no zero-day or complex exploitation techniques. Organizations running Fleet should assume compromise scenarios and prioritize patching. Insider threats and compromised CI/CD pipelines make this vector particularly dangerous in regulated environments.