A serious flaw in Kubernetes has been identified, and this one is so big that you should stop using it and update, immediately. Dubbed CVE-2018-1002105, the flaw allows anyone to establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once connected, attackers can send arbitrary requests directly to the backend, and more importantly – these requests get authenticated with the Kubernetes API server's Transport Layer Security (TLS) credentials.
Whoever knows about the flaw can assume command of a Kubernetes cluster. Also, there's no concrete log that helps you identify if the flaw has been used or not.
“Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log,” Red Hat’s Ashesh Badani says in a blog post explaining the flaw. “The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server."
Anyone using Kubernetes v1.0.x-1.9.x is advised to immediately stop and patch up. Those that can’t patch should stop using aggregated API servers and “remove pod exec/attach/portforward permissions from users that should not have full access to the kubelet API.”
Image source: Shutterstock/Sergey Nivens