catalog logoThe IAM Privilege Catalog

services / Google Cloud / Frontend config custom resource definition for Google Kubernetes Engine

FrontendConfig objects configure two ingress features on Kubernetes Engine: 1) SSL proxy 2) HTTPS-to-HTTP redirect

FrontendConfig is a piece of reusable configuration for an Ingress object. A FrontendConfig does not take effect unless it is associated with an Ingress object via annotations.

container.​frontendConfigs.​create

An attacker may manipulate Ingress settings if they are also allowed to associate BackendConfig objects with Ingress objects using container.ingresses.update or container.ingresses.create permissions.

Risks

  1. Network destruction (HIGH)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​kubernetes-​engine/​docs/​how-​to/​ingress-​configuration#​configuring_​ingress_​features_​through_​frontendconfig_​parameters
  • https:​/​/​cloud.​google.​com/​kubernetes-​engine/​docs/​how-​to/​ingress-​configuration#​associating_​frontendconfig_​with_​your_​ingress

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog