SUSE CaaS Platform Updated to Address Kubernetes Vulnerability
For an open source project of its size (both in terms of code and of prevalence of adoption), Kubernetes has been surprisingly free of security vulnerabilities. Its perfect record has come to an end, though, with the project’s disclosure on December 3, 2018 of a security vulnerability in all previous versions of Kubernetes, and therefore, of SUSE CaaS Platform.
The vulnerability, CVE-2018-1002105, is located in the Kubernetes API server; it allows an attacker to send arbitrary requests to backend cluster services, effectively allowing any user to gain full admin rights on any worker node. Because it sets up what otherwise appears to be a legitimate API connection, it is nearly impossible to detect whether the vulnerability has been exploited. (You can find details of the vulnerability and how it exposes clusters to attack here.)
There are some mitigation steps published, but they are likely to interfere with legitimate use of the cluster. The easiest and most complete way to address the problem and keep your SUSE CaaS Platform secure is to update to a version of Kubernetes that contains this fix.
Today, SUSE released an updated version of Kubernetes for SUSE CaaS Platform 3. This version, numbered 1.10.11, includes the fix for the vulnerability.
Follow the directions in the SUSE CaaS Platform Administration Guide to update your cluster. This process will also apply any new bugfixes and features that have been released since your last update, which may include the ability to use your corporate LDAP/AD server for CaaS Platform authentication. In a cluster with sufficient resources and recommended master node redundancy, the update can be performed without loss of workload availability.
This is a very critical vulnerability: the Kubernetes security team rates it at 9.8 on a 0 to 10 scale. SUSE CaaS Platform administrators are strongly advised to update their clusters as soon as possible.