Kubernetes has become the most popular, and it was only a matter of time until the first major security hole was discovered. And the error, CVE-2018-1002105, aka Kubernetes privilege escalation error, is a doozy. It is a CVSS 9.8 critical security hole.
With a specially designed network request, any user can establish a connection via the Kubernetes Application Programming Interface (API) server to a backend server. Once created, an attacker can send arbitrary requests over the network connection directly to the appropriate support. By adding insult to damage, these requests are authenticated with the Kubernete API server's TLS credentials.
Also: How to install Kubernetes quickly on Ubuntu TechRepublic
Can you say mess? I knew you could.
Worse still, "In default configurations, all users (authenticated and unauthorized) have permission to perform discovery API calls that allow this escalation." So, yes, anyone who knows about this hole can take control of the Kubernetes cluster.
Oh, and to the last pain: "There is no easy way to detect if this vulnerability has been used. Because unauthorized requests are made over an established connection, they are not displayed in the Kubernetes API server's audit log or server log. The requests are displayed. in the cube or aggregated API server logs, but can not differ from properly authorized and proxy requests via the Kubernetes API server. "
Red Hat said, in other words," The troubleshooter allows every user to have full administrator privileges on any computing node running on a Kubernetes pod. This is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also take down production applications and services from an organization's firewall. " Fortunately, there is a solution, but some of you will not like it. You must upgrade Kubernetes. Now. In particular, it is the patched version of Kubernetes v1.10.11, v1.11.5, v1.12.3 and v1.13.0-rc.1.
If you still use Kubernetes v1.0.x-1.9.x, stop. Update to an updated version. If for some reason you can not move up, there are cures, but they are almost worse than the disease. You must suspend use of aggregated API servers and remove pod exec / attach / portforward permissions from users who will not fully access the kubelet API. Jordan Liggitt, the Google software engineer who solved the error said that these restrictions are likely to be disturbing. Do you think?
The only real solution is to upgrade Kubernetes.
Also: Kubernetes: The Smart Person's Guide TechRepublic
Any program, including Kubernetes, is vulnerable. Kubernetes distributors are already solving remedies.
Red Hat reports all its "Kubernetes-based services and products – including Red Hat OpenShift Container Platform, Red Hat OpenShift Online, and Red Hat OpenShift Dedicated – Affected." Red Hat has begun to deliver updates and service updates to affected users.
No one knows, no one has used the security hole to attack anyone yet. Darren Shepard, chief architect and co-founder at Rancher Labs, discovered the error and reported it using the Kubernetes vulnerability reporting process.
But – and that's a big but – abuse of vulnerability would not have left any obvious traces in the logs. And now, when the news about Kubernet's privilege escalation error is out, it's just a matter of time until it gets abused.
So, again and again, upgrading your Kubernetes systems now before your business ends in a world of trouble.