Hello Kubernetes Community,
A security issue was discovered in Kubernetes that could allow Windows workloads to run as
ContainerAdministrator even when those workloads set the
runAsNonRoot option to
This issue has been rated low and assigned CVE-2021-25749
Am I vulnerable?
All Kubernetes clusters with following versions, running Windows workloads with
runAsNonRoot are impacted.
- kubelet v1.20 - v1.21
- kubelet v1.22.0 - v1.22.13
- kubelet v1.23.0 - v1.23.10
- kubelet v1.24.0 - v1.24.4
How do I mitigate this vulnerability?
There are no known mitigations to this vulnerability.
- kubelet v1.22.14
- kubelet v1.23.11
- kubelet v1.23.5
- kubelet v1.25.0
To upgrade, refer to this documentation. For core Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
Kubernetes Audit logs may indicate if the user name was misspelled to bypass the restriction placed on which user is a pod allowed to run as.
If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io
See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/112192
This vulnerability was reported and fixed by Mark Rosetti (@marosset)
Pushkar Joglekar on behalf of the Kubernetes Security Response Committee