Kubernetes security vulnerabilities

[Montassar Dridi]

I got an email from google about that the Kubernetes project recently disclosed new security vulnerabilities.

was advised to upgrade the nodes as soon as the patch becomes available which is with the new version releases by March 16.

How soon should I do it or how long can I wait ? Because I need at least a week to plan the upgrade !!

[Jessie Frazelle]

This depends on each clusters use case and you really need to assess
how you are using these features which had bugs but I can try to be of
help.

Repeating the issues below:

One allows containers using subpath volume mounts with any volume type
(including non-privileged pods, subject to file permissions) to access
files/directories outside of the volume, including the host’s
filesystem. See Kubernetes issue #60813 for details.

The other allows containers using a secret, configMap, projected or
downwardAPI volume to trigger deletion of arbitrary files/directories
from the nodes where they are running. See Kubernetes issue #60814 for
details.

If you are exposing the k8s api and such to individuals who are deemed
malicious, yes they might use this maliciously. If you are trusting
yaml for k8s configs from some untrusted source they may also use this
maliciously.

You need to assess what you are doing and how much you need to be
inclined to upgrade as soon as possible. It really depends.

> --
> You received this message because you are subscribed to the Google Groups
> "Kubernetes developer/contributor discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kubernetes-de...@googlegroups.com.
> To post to this group, send email to kuberne...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/kubernetes-dev/6703259b-4df0-41d9-bebe-2e434205a18b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--


Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu

[Montassar Dridi]

thanks for you response,

just for calrification

would The vulnerability CVE-2017-1002102 affect a deployment using this example 

https://github.com/GoogleCloudPlatform/kubernetes-engine-samples/blob/master/cloudsql/mysql_wordpress_deployment.yaml

[Jessie Frazelle]

Does that deployment use features that were effected by CVE-2017-1002102?

Yes it does.

If you are asking me if your cluster is going to be hacked if you use
that deployment, I cannot answer that because I just took a fast look
at it for two seconds, I did not write the deployment, I did not write
the secrets, etc. I did not write the container image. So I cannot
answer that.

> --
> You received this message because you are subscribed to the Google Groups
> "Kubernetes developer/contributor discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kubernetes-de...@googlegroups.com.
> To post to this group, send email to kuberne...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/kubernetes-dev/3e0a1927-0c32-43bb-8267-5407d784946d%40googlegroups.com.

[Joel Smith]

Resending to kubernetes-dev (orginally sent only to Montassar Dridi)

If you allow an untrusted third party to create and run that application on your cluster, then it could affect you because the third party could connect to the container and exploit the vulnerability. If you run the cluster and you deploy the application yourself, then you're probably pretty safe from the vulnerability, at least until an attacker can find a way to exploit the running application. In such a scenario, the attacker would first have to compromise the application running in the container, then use that as a launching point for an attack that uses the CVE-2017-1002102 bug to delete files from the node.

--

You received this message because you are subscribed to the Google Groups "Kubernetes developer/contributor discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-dev+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-dev@googlegroups.com.

[Montassar Dridi]

Thanks a lot for the information that was really helpful

On Thursday, March 15, 2018 at 9:27:25 PM UTC-4, Joel Smith wrote:

Resending to kubernetes-dev (orginally sent only to Montassar Dridi)

If you allow an untrusted third party to create and run that application on your cluster, then it could affect you because the third party could connect to the container and exploit the vulnerability. If you run the cluster and you deploy the application yourself, then you're probably pretty safe from the vulnerability, at least until an attacker can find a way to exploit the running application. In such a scenario, the attacker would first have to compromise the application running in the container, then use that as a launching point for an attack that uses the CVE-2017-1002102 bug to delete files from the node.

On Thu, Mar 15, 2018 at 5:53 PM, Montassar Dridi <montass...@gmail.com> wrote:

thanks for you response,

just for calrification

would The vulnerability CVE-2017-1002102 affect a deployment using this example 

https://github.com/GoogleCloudPlatform/kubernetes-engine-samples/blob/master/cloudsql/mysql_wordpress_deployment.yaml

On Thursday, March 15, 2018 at 6:25:39 PM UTC-4, Montassar Dridi wrote:

I got an email from google about that the Kubernetes project recently disclosed new security vulnerabilities.

was advised to upgrade the nodes as soon as the patch becomes available which is with the new version releases by March 16.

How soon should I do it or how long can I wait ? Because I need at least a week to plan the upgrade !!

--
You received this message because you are subscribed to the Google Groups "Kubernetes developer/contributor discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-de...@googlegroups.com.
To post to this group, send email to kuberne...@googlegroups.com.