This issue was reported in the Kubernetes Security Audit Report

Description
Kubernetes supports multiple backends for authentication and authorization, one of which is the Attribute-Based Access Control (ABAC) backend. This backend uses a format consisting of a single-line JSON object on each line.

for scanner.Scan() {
    i++ 
    p := &abac.Policy{}
    b := scanner.Bytes()

    // skip comment lines and blank lines
    trimmed := strings.TrimSpace(string(b))
    if len(trimmed) == 0 || strings.HasPrefix(trimmed, "#") {
       continue
    }   

    decodedObj, _, err := decoder.Decode(b, nil, nil)
    ...

Figure 31.1: A portion of NewFromFile - kubernetes-1.13.4/pkg/auth/authorizer/abac/abac.go

This line-delimited format leads to two main issues:

The format is prone to human error. Forcing JSON objects into a single line increases the difficulty of audits and the need for specialized tooling.
JSON objects are arbitrarily restricted to the size of Scanner tokens, or about 65k characters as of this report.

From a more systemic perspective, the use of various formats across the system (JSON, YAML, line-delimited, etc) leads to increased surface area for parsing vulnerabilities.

Recommendation
Short term, improve the semantics of ABAC configuration file parsing.

Long term, consider consolidating the use of multiple configuration file formats, and preventing arbitrary formats from being introduced into the system.

Anything else we need to know?:

See #81146 for current status of all issues created from these findings.

The vendor gave this issue an ID of TOB-K8S-017 and it was finding 32 of the report.

The vendor considers this issue Informational Severity.

To view the original finding, begin on page 78 of the Kubernetes Security Review Report

Environment:

• Kubernetes version: 1.13.4