Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

K8s explosion serious security breach? What are the countermeasures and suggestions?

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/03 Report--

Kubernetes has recently exposed serious security vulnerabilities, affecting almost all current versions. What is the actual impact? Do users of older versions have to upgrade? The following is the analysis and interpretation of the vulnerability by the Huawei Cloud Container Service team.

Serious security vulnerabilities exposed by Kubernetes:

By constructing a special request, the user can enhance the permission on a link with ordinary permissions and send any request to the proxied backend server.

This issue affects almost all current versions of Kubernetes, including:

Kubernetes v1.0.x-1.9.x

Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11)

Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5)

Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)

What kind of clusters may be *?

The cluster has extended API server enabled, and kube-apiserver is directly connected to the network that extends API server

The cluster is visible to the user, that is, the user can access the interface of kube-apiserver. If your cluster is deployed in a secure private network, there will be no impact.

If the pod exec/attach/portforward interface is open in the cluster, * * users can take advantage of this vulnerability to obtain all kubelet API access permissions.

Let's take a look at the scene of specific influence.

The cluster uses aggregation API. As long as the kube-apiserver is directly connected to the network of the aggregation API server, * * users can take advantage of this vulnerability to send any API request to the aggregation API server.

If the cluster enables anonymous user access, anonymous users also exploit this vulnerability. Unfortunately, K8s allows anonymous access by default, that is, the startup parameter "--anonymous-auth=true" of kube-apiserver

Give the user permission to exec/attach/portforward of Pod. Users can also take advantage of this vulnerability to upgrade to a cluster administrator and do damage to any Pod.

For a more detailed discussion of the vulnerability, see the community Issue:

Https://github.com/kubernetes/kubernetes/issues/71411

Countermeasures and suggestions

Based on the above analysis, friends who use Huawei Cloud CCE service need not worry too much, because:

Anonymous user access is turned off by default for clusters created by CCE service

The cluster created by the CCE service does not use aggregate API

If you enable the RBAC permission and assign the exec/attach/portforward permission of Pod to the user, Huawei Cloud CCE CCS will complete the online patch repair of all existing 1.11 K8S clusters tonight. For clusters below v1.10 (which are not repaired by the community), we will also provide a patch version for repair this week. Please pay attention to the upgrade announcement and fix the vulnerability in time.

Tips: if you set up your own K8s cluster, in order to improve the safety factor of the cluster, the recommendations are as follows

Be sure to turn off anonymous user access.

Upgrade to the community bug fix version as soon as possible. Reasonable configuration of RBAC, only for trusted users of Pod

Exec/attach/portforward permissions.

If the version of K8s you are using is lower than v1.10 and is not supported by the official patch, it is recommended to turn the patch code by yourself:

Https://github.com/kubernetes/kubernetes/pull/71412

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report