Security Advisory for CVE 2018-11235: git

[Tim Allclair]

If you are not using PodSecurityPolicy or a similar mechanism to restrict pod options, then you can disregard this message.

A recent vulnerability in git, CVE 2018-11235, is exposed in Kubernetes through the GitRepo volume source. If you are running a multitenant environment in which users can create pods but shouldn't be able to gain root privileges on the node, then you need to take remedial action.

Option 1 (preferred): forbid use of the GitRepo volume type (e.g. via PodSecurityPolicy). This is not the first vulnerability that has been exposed through the GitRepo volume, and this volume type will eventually be deprecated. The same behavior can be achieved through EmptyDir volumes & InitContainers (example).

Option 2: ensure the version of git deployed to your nodes is up to date. Refer to the CVE for vulnerable versions.