The issue revolves around permissions, with GKE allowing users access to the system with any valid Google account. Orca Security said this creates a “significant security loophole when administrators decide to bind this group with overly permissive roles.”
Orca Security noted that Google considers this to be “intended behavior” because in the end, this is an assigned permission vulnerability that can be prevented by the user. Customers are responsible for the access controls they configure.
The researchers backed Google’s assessment that organizations should “take responsibility and not deploy their assets and permissions in a way that carries security risks and vulnerabilities.”