Notice on Fixing the Kubernetes Permission and Access Control Vulnerability (CVE-2018-1002105)

Description

The security vulnerability CVE-2018-1002105 was reported in the Kubernetes community. By forging requests, Kubernetes users can access the backend over established connections through the Kubernetes API server. The Huawei Cloud CCE has securely fixed this vulnerability in a timely manner.

For details about the vulnerability, see https://github.com/kubernetes/kubernetes/issues/71411.

Impact

If a cluster uses aggregated APIs, the attacker can exploit this vulnerability to send any API request to the aggregated API server, as long as the kube-apiserver is directly connected to the aggregated API server network.

If the access permission of the cluster is granted to anonymous users, anonymous users can also exploit this vulnerability. The access permission of anonymous users is not prohibited in Kubernetes clusters, where the kube-apiserver startup parameter anonymous-auth is set to true. Users are granted the exec/attach/portforward permission of pods, and can also exploit this vulnerability to upgrade themselves to the cluster administrator to damage pods.

For more discussion about the vulnerability, see https://github.com/kubernetes/kubernetes/issues/71411.

The impact of this vulnerability is as follows:

• Clusters that run aggregated API servers directly accessible from the Kubernetes API server's network
• Clusters visible to attackers, that is, attackers can access the kube-apiserver APIs. If your clusters are deployed on a secure private network, the clusters are not affected.
• Clusters that assign pod exec/attach/portforward permissions to users who are not expected to have full access to kubelet APIs

The affected cluster versions are as follows:

• Kubernetes v1.0.x to 1.9.x
• Kubernetes v1.10.0 to 1.10.10 (fixed in v1.10.11)
• Kubernetes v1.11.0 to 1.11.4 (fixed in v1.11.5)
• Kubernetes v1.12.0 to 1.12.2 (fixed in v1.12.3)

Solution

You do not need to worry about this vulnerability when using Huawei Cloud CCE. The reasons are as follows:

• By default, anonymous access is disabled for clusters created by CCE.
• Clusters created by CCE do not use aggregation APIs.

The Huawei Cloud CCE has completed online patch installation for all Kubernetes clusters of v1.11 and later versions. The Kubernetes community does not provide solutions to fix the vulnerability for clusters of earlier versions. Therefore, the CCE has provided a dedicated patch version for them. Pay attention to the upgrade notices, and install the patch version in time to fix the vulnerability.

If you set up Kubernetes clusters without using CCE, you are advised to disable the anonymous access permissions to improve the cluster security.

Upgrade to the vulnerability fixing version provided in the community as soon as possible. When configuring RBAC policies, ensure that the pod exec/attach/portforward permission is granted only to trusted users.

If the Kubernetes version of your clusters is earlier than v1.10, which is not supported by the Kubernetes community, you are advised to add the patch code provided in https://github.com/kubernetes/kubernetes/pull/71412.