Notice of Kubernetes Security Vulnerability (CVE-2024-10220)

Vulnerability Details

Impact

The following cluster versions are affected:

• v1.27.0-r0 to v1.27.8-r0
• v1.28.0-r0 to v1.28.6-r0

Identification Method

Log in to the CCE console, click the name of the target cluster to access the cluster console, and check the cluster version on the Overview page.

Figure 1 Cluster Version

• If the cluster version is not one of the versions mentioned above, then the vulnerability does not affect the cluster.
• If the cluster version falls within the affected range, you can use the following command to check if the vulnerability has been exploited in the cluster:

  (This command will display a list of all gitRepo storage volumes that are mounted to pods. It will also clone the repository to the pod in the .git subdirectory.)

   kubectl get pods --all-namespaces -o yaml | grep gitRepo -A 2

  

  If the command output does not show any gitRepo configuration, it means that the cluster is not affected by the vulnerability.

Solution

• This vulnerability has been fixed for CCE Autopilot clusters. Upgrade the cluster to the version where the vulnerability has been fixed promptly. For clusters that have reached EOS, upgrade them to versions under maintenance.

  Fixed cluster versions: v1.27.9-r0, v1.28.7-r0, and later

• The gitRepo storage volumes are no longer supported. As a solution, the community recommends using the init containers to perform Git clone operations and then mount the directories to the pods. For details, see the example in GitHub.

Helpful Links

https://github.com/kubernetes/kubernetes/issues/128885