Kubernetes Vulnerability Found and Fixed
A critical vulnerability was discovered in the Kubernetes container orchestrator. The vulnerability (CVE-2018-1002105) allows non-privileged users to access Kubernetes clusters and associated data that they otherwise would not be able to access.
Bad actors can exploit the flaw in two ways -- the first involves abusing pod exec privileges granted to a normal user, and the second involves attacking the API extensions feature, which provides the service catalog and access to additional features in Kubernetes 1.6 and later.
The flaw is already fixed and major Kubernetes vendors have already released patches. For instance, Red Hat has announced that OpenShift Container Platform 3.x and later are affected, as well as Red Hat OpenShift Online and Red Hat OpenShift Dedicated. The company suggests that users must immediately apply patches to their OpenShift deployments.
Microsoft Azure has announcedthat they have also fixed the vulnerability. The company said, “Azure Kubernetes Service has patched all affected clusters by overriding the default Kubernetes configuration to remove unauthenticated access to the entrypoints that exposed the vulnerability,”
The entrypoints are everything under https://myapiserver/apis/. If you were relying on this unauthenticated access to these endpoints from outside the cluster, you will need to switch to an authenticated path.
This is the first major vulnerability discovered in Kubernetes.