You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to kubernetes-sec...@googlegroups.com, kubernete...@googlegroups.com
If you are not using PodSecurityPolicy or a similar mechanism to restrict pod options, then you can disregard this message.
A recent vulnerability in git, CVE 2018-11235, is exposed in Kubernetes through the GitRepo volume source. If you are running a multitenant environment in which users can create pods but shouldn't be able to gain root privileges on the node, then you need to take remedial action.
Option 1 (preferred): forbid use of the GitRepo volume type (e.g. via PodSecurityPolicy). This is not the first vulnerability that has been exposed through the GitRepo volume, and this volume type will eventually be deprecated. The same behavior can be achieved through EmptyDir volumes & InitContainers (example).
Option 2: ensure the version of git deployed to your nodes is up to date. Refer to the CVE for vulnerable versions.