Dito wanted to write a quick post (posted on 12/4/18 at 11:27 am PST) to help bring awareness to a recently discovered Kubernetes flaw that is making its way through the container community.

TLDR – A privilege escalation flaw was found that affects all master versions of the Kubernetes API server. Google Cloud customer clusters were already patched by Google, so no action is required. To our knowledge at the time of publishing, AWS and Azure have not released automated patches for customers yet. 

The privilege escalation flaw (CVE-2018-1002105) makes it possible for any actor to gain full administrator privileges on any compute node being run in a Kubernetes cluster. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down whole production applications and services from within an organization’s firewall.

Affected Versions:

  • Kubernetes v1.0.x-1.9.x 
  • Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11)
  • Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5)
  • Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)

Kubernetes v1.10.11v1.11.5, and v1.12.3 have all been release to address CVE-2018-1002105. 

As far as Google Cloud Platform clusters – all Google Kubernetes Engine (GKE) masters were affected by these vulnerabilities, and GCP has already upgraded all customer clusters to the latest patch versions. No action is required.

For deployments on cloud providers that have not updated existing clusters with the patched version, those clusters currently remain exposed unless they have been upgraded manually.

  • AWS Security Bulletin – Kubernetes Security Issue (CVE-2018-1002105) posted 2018/12/04 1:00 PM PST
  • Microsoft Azure Security Bulletin – AKS clusters patched for Kubernetes vulnerability – “If you want to upgrade to a Kubernetes release that contains the underlying fix, we have now made version 1.11.5 available.”

Upgrading clusters manually can be tricky. Organizations doing so will also need to upgrade additional components of the cluster such as the Kubernetes load balancer and Flannel if they’re using it as a service mesh. There’s a lot more involved, that’s really just a taste. This can also be a good opportunity for lifting and shifting K8s clusters to Google Cloud.

While open-sourced and maintained by the Cloud Native Computing Foundation, Kubernetes originated at Google and the GKE team knows the framework better and maintains it faster than anybody else.

If you need assistance in addressing this time-sensitive situation, please reach out and schedule a consultation with our cloud engineering team.

 

___

Updated to reflect the fact that Amazon and Microsoft have posted announcements regarding the vulnerability and their respective plans to update.