Happy new year!
A security issue was discovered in kubernetes dashboard versions
v1.10.0 or older. The issue is High if you are using custom
certificates for the dashboard. Upgrading to v1.10.1 of the dashboard
is encouraged to fix this issue.
**Am I vulnerable?**
If you are running the kubernetes dashboard version that has login
functionality (v1.7.0 - v1.10.0) and you use custom certificates you
**How can I mitigate the issue?**
Delete the dashboard:
kubectl --namespace kube-system delete deployment kubernetes-dashboard
**How do I upgrade?**
Follow the installation instructions at
The TLS secrets for a Kubernetes Dashboard can be obtained by visiting
This occurs even if you have authentication via token enabled on the
If you were using custom certificates for the dashboard those will
need to be revoked because they may have been compromised. If you are
not using custom certificates you are safe since the default behavior
is to generate certs and store them in-memory.
This is being updated in the kubernetes addons here:
and will be
cherry-picked to the next patch version of 1.13.
Thank you to Tomek Rabczak for the find and Sebastian Florek for the
coordination in making this release.
Jess on behalf of the Kubernetes Product Security Team
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3