K
Q

Kubernetes security vulnerabilities

3/15/2018

I got an email from google about that the Kubernetes project recently disclosed new security vulnerabilities.

was advised to upgrade the nodes as soon as the patch becomes available which is with the new version releases by March 16.

How soon should I do it or how long can I wait ? Because I need at least a week to plan the upgrade !!

-- montatich
google-cloud-platform
google-kubernetes-engine
kubernetes

Similar Questions

Distributed Resource Allocation Architecture
Can a host be redirected to a service path in Kubernetes?
Kubernetes deployment with docker image
Openshift pod complains about missing directories for image

2 Answers

3/15/2018

CVE-2017-1002101 affects all volume types, so to prevent the vulnerability being exploited on your cluster you'd need to deny the use of all volume types using PodSecurityPolicy. Refer to the Mitigations prior to upgrading section of the GitHub issue here.

There isn't an amount of time you can wait, it's just more likely to be exploited the longer you wait before upgrading.

-- dippynark
Source: StackOverflow
3/16/2018

You should upgrade as soon as possible, the more you wait the more you will expose your cluster to vulnerabilities as dippynark pointed out.

I added this comment to suggest you to doublecheck the release notes of the patch since it could affect your workload:

March 13, 2018 Fixed A patch for Kubernetes vulnerabilities CVE-2017-1002101 and CVE-2017-1002102 is now available according to this week's rollout schedule. We recommend that you manually upgrade your nodes as soon as the patch becomes available in your cluster's zone.

Issues

Breaking Change: Do not upgrade your cluster if your application requires mounting a secret, configMap, downwardAPI, or projected volume with write access:

  • To fix security vulnerability CVE-2017-1002102, Kubernetes 1.9.4-gke.1, Kubernetes 1.8.9-gke.1, and Kubernetes 1.7.14-gke.1 changed secret, configMap, downwardAPI, and projected volumes to mount read-only, instead of allowing applications to write data and then reverting it automatically. We recommend that you modify your application to accommodate these changes before you upgrade your cluster.

  • If your cluster uses IP Aliases and was created with the --enable-ip-alias flag, upgrading the master to Kubernetes 1.9.4-gke.1 will prevent it from starting properly. This issue will be addressed in an upcoming release.

Disclaimer: I work for Google Cloud Platform Support

-- GalloCedrone
Source: StackOverflow