Notice of Kubernetes kubelet Resource Management Vulnerability (CVE-2020-8557)

Description

The eviction manager of kubelet does not manage the temporary storage usage of the /etc/hosts file mounted to pods. For this vulnerability, if a pod writes a large amount of data to its mounted /etc/hosts file to occupy the storage space of a node, a denial of service occurs on the node.

Impact

The eviction manager of kubelet does not manage the temporary storage usage of the /etc/hosts file mounted to pods. For this vulnerability, if a pod writes a large amount of data to its mounted /etc/hosts file to occupy the storage space of a node, a denial of service occurs on the node. This vulnerability received a CVSS rating of 5.5 (Medium).

Pods with the following privileges have the write permission on the /etc/hosts file on the nodes:

• Pods that run containers with the CAP_DAC_OVERRIDE system permission (which is granted to containers by default)
• Pods started as the user root (with UID set to 0) or with the allowPrivilegeEscalation flags in the security contexts set to true (which is the default behavior with privileged containers enabled or the CAP_SYS_ADMIN permission granted)

Solution

You are advised to take the following security measures:

• Set the cluster pod security policy or the admission mechanism to force pods to delete the CAP_DAC_OVERRIDE system permission.

  securityContext:
        capabilities:
          drop: ["DAC_OVERRIDE"]

• Set the cluster pod security policy or other admission mechanisms to prevent the root user from starting containers, or set the allowPrivilegeEscalation parameter to false.

  securityContext:
        allowPrivilegeEscalation: false

• Run the following command to monitor the /etc/hosts file in containers. If the file size is abnormal, enable the system to report an alarm or take corresponding container isolation measures.

  find /var/lib/kubelet/pods/*/etc-hosts -size +1M