Notice on the Kubernetes kubelet Resource Management Vulnerability (CVE-2020-8557)

Description

The eviction manager of kubelet does not manage the temporary storage usage of the /etc/hosts file mounted to pods. For this vulnerability, if a pod writes a large amount of data to its mounted /etc/hosts file to occupy the storage space of a node, a denial of service occurs on the node.

Impact

The eviction manager of kubelet does not manage the temporary storage usage of the /etc/hosts file mounted to pods. For this vulnerability, if a pod writes a large amount of data to its mounted /etc/hosts file to occupy the storage space of a node, a denial of service occurs on the node. This vulnerability received a CVSS rating of 5.5 (Medium).

Clusters running pods with sufficient privileges to write to their own /etc/hosts files are affected. The following pods are included:

• Containers running with CAP_DAC_OVERRIDE (which is granted by default)
• Containers running as the root user (with UID set to 0),or containers running with security context that have the flag allowPrivilegeEscalation set to true (which is the default behavior when Privileged Container is On or the pods have the CAP_SYS_ADMIN permission).

Solution

You are advised to take the following security measures:

• Set the cluster pod security policy or the admission mechanism to force pods to delete the CAP_DAC_OVERRIDE system permission.

  securityContext:
        capabilities:
          drop: ["DAC_OVERRIDE"]

• Set the cluster pod security policy or other admission mechanisms to prevent the root user from starting containers, or set the allowPrivilegeEscalation parameter to false.

  securityContext:
        allowPrivilegeEscalation: false

• Run the following command to monitor the /etc/hosts file in containers. If the file size is abnormal, enable the system to report an alarm or take corresponding container isolation measures.

  find /var/lib/kubelet/pods/*/etc-hosts -size +1M