Dito wanted to write a quick post (posted on 12/4/18 at 11:27 am PST) to help bring awareness to a recently discovered Kubernetes flaw that is making its way through the container community.
TLDRĀ – A privilege escalation flaw was found that affects all master versions of the Kubernetes API server. Google Cloud customer clusters were already patched by Google, so no action is required. To our knowledge at the time of publishing, AWS and Azure have notĀ released automated patches for customers yet.Ā
The privilege escalation flaw (CVE-2018-1002105)Ā makes it possible for any actor to gain full administrator privileges onĀ any compute nodeĀ being run in a Kubernetes cluster.Ā Not only can this actor steal sensitive data or inject malicious code, but they can also bring down whole production applications and services from within an organizationās firewall.
Affected Versions:
- Kubernetes v1.0.x-1.9.xĀ
- Kubernetes v1.10.0-1.10.10 (fixed inĀ v1.10.11)
- Kubernetes v1.11.0-1.11.4 (fixed inĀ v1.11.5)
- Kubernetes v1.12.0-1.12.2 (fixed inĀ v1.12.3)
KubernetesĀ v1.10.11,Ā v1.11.5, andĀ v1.12.3Ā have all been release to addressĀ CVE-2018-1002105.Ā
As far as Google Cloud Platform clusters – all Google Kubernetes Engine (GKE) masters were affected by these vulnerabilities, and GCP has already upgraded all customer clusters to theĀ latest patch versions. No action is required.
For deployments on cloud providers that have not updated existing clusters with the patched version, those clusters currently remain exposed unless they have been upgraded manually.
- AWS Security BulletinĀ –Ā Kubernetes Security Issue (CVE-2018-1002105) posted 2018/12/04 1:00 PM PST
- Microsoft Azure Security Bulletin –Ā AKS clusters patched for Kubernetes vulnerability – “If you want to upgrade to a Kubernetes release that contains the underlying fix, we have now made version 1.11.5 available.”
Upgrading clusters manually can be tricky. Organizations doing so will also need to upgrade additional components of the cluster such as the Kubernetes load balancer and Flannel if theyāre using it as a service mesh. Thereās a lot more involved, thatās really just a taste.Ā This can also be a good opportunity for lifting and shifting K8s clusters toĀ Google Cloud.
While open-sourced and maintained by the Cloud Native Computing Foundation, Kubernetes originated at Google and the GKE team knows the framework better and maintains it faster than anybody else.
If you need assistance in addressing this time-sensitive situation,Ā please reach outĀ and schedule a consultation with our cloud engineering team.
___
Updated to reflect the fact that Amazon and Microsoft haveĀ posted announcements regarding the vulnerability and their respective plans to update.