In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/03 Report--
Kubernetes has recently exposed serious security vulnerabilities, affecting almost all current versions. What is the actual impact? Do users of older versions have to upgrade? The following is the analysis and interpretation of the vulnerability by the Huawei Cloud Container Service team.
Serious security vulnerabilities exposed by Kubernetes:
By constructing a special request, the user can enhance the permission on a link with ordinary permissions and send any request to the proxied backend server.
This issue affects almost all current versions of Kubernetes, including:
Kubernetes v1.0.x-1.9.x
Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11)
Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5)
Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)
What kind of clusters may be *?
The cluster has extended API server enabled, and kube-apiserver is directly connected to the network that extends API server
The cluster is visible to the user, that is, the user can access the interface of kube-apiserver. If your cluster is deployed in a secure private network, there will be no impact.
If the pod exec/attach/portforward interface is open in the cluster, * * users can take advantage of this vulnerability to obtain all kubelet API access permissions.
Let's take a look at the scene of specific influence.
The cluster uses aggregation API. As long as the kube-apiserver is directly connected to the network of the aggregation API server, * * users can take advantage of this vulnerability to send any API request to the aggregation API server.
If the cluster enables anonymous user access, anonymous users also exploit this vulnerability. Unfortunately, K8s allows anonymous access by default, that is, the startup parameter "--anonymous-auth=true" of kube-apiserver
Give the user permission to exec/attach/portforward of Pod. Users can also take advantage of this vulnerability to upgrade to a cluster administrator and do damage to any Pod.
For a more detailed discussion of the vulnerability, see the community Issue:
Https://github.com/kubernetes/kubernetes/issues/71411
Countermeasures and suggestions
Based on the above analysis, friends who use Huawei Cloud CCE service need not worry too much, because:
Anonymous user access is turned off by default for clusters created by CCE service
The cluster created by the CCE service does not use aggregate API
If you enable the RBAC permission and assign the exec/attach/portforward permission of Pod to the user, Huawei Cloud CCE CCS will complete the online patch repair of all existing 1.11 K8S clusters tonight. For clusters below v1.10 (which are not repaired by the community), we will also provide a patch version for repair this week. Please pay attention to the upgrade announcement and fix the vulnerability in time.
Tips: if you set up your own K8s cluster, in order to improve the safety factor of the cluster, the recommendations are as follows
Be sure to turn off anonymous user access.
Upgrade to the community bug fix version as soon as possible. Reasonable configuration of RBAC, only for trusted users of Pod
Exec/attach/portforward permissions.
If the version of K8s you are using is lower than v1.10 and is not supported by the official patch, it is recommended to turn the patch code by yourself:
Https://github.com/kubernetes/kubernetes/pull/71412
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.