kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CVE-2017-14491 Documentation Hot Fixes and kops fixes

This commit is contained in:
chrislovecnm 2017-10-08 14:49:06 -06:00
parent b052495e3d
commit ed3651d688
1 changed files with 129 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
docs/advisories/cve_2017_14491.md Normal file
View File

@ -0,0 +1,129 @@
# CVE-2017-14491
A vulnerability in dnsmasq, used by kube-dns, requires an upgrade to the kube-dns component. This component is the default DNS component installed in Kubernetes. The vulnerability may be externally exploitable. Links below exist with the full detail
of the CVE. This is not a Kubernetes specific vunerability, but exists in dnsmasq.
## Current kops Status
As of 2017/10/08 `kops` fixes are not in a released `kops` version, but you are
able to hotfix any Kubernetes cluster that is 1.4.x or higher.
## Tested Kubernetes Versions
Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have been fully tested with the new version of `kube-dns` deployment. Other versions should function, but upgrading
to fully tested version is recommend. We have had 1.4.x users upgrade successfully,
but we cannot validate full production stability. Local testing in a non-production
environment is always recommended. We are not able to quatify the risk of using
a non-tested version.
## Fixed kops releases
We are planning releasing fixes in both new 1.7.x and 1.8.x kops releases.
Fixes are in master, but not yet released as of 2017/10/08. We will update this document when releases are available. You are able to continue to use kops, and
apply the hotfix. kops should not downgrade the hotfix.
### Fixed kops Version Matrix
| kops Version | Fixed | Released | Will Fix | URL |
|---|---|---|---|
| master | Y | N | N/A | [here](https://github.com/kubernetes/kops) |
| 1.8.0 | N | N | Y | N/A |
| 1.8.0.alpha.1 | N | Y | N | N/A |
| 1.7.1 | Y | N | N | N/A |
| 1.7.0 | N | Y | N | N/A |
## kops PR fixes
- Fixed by @mikesplain in [#3511](https://github.com/kubernetes/kops/pull/3511)
- Fixed by @mikesplain in [#3538](https://github.com/kubernetes/kops/pull/3538)
## kops Tracking Issue
- Filed by @chrislovecnm [#3512](https://github.com/kubernetes/kops/issues/3512)
## Hotfix Instructions
The minimal fix is to just update the container for the pods using dnsmasq. You are able to apply this fix without downtime. Hot fix instruction differ between Kuberentes releases. The newer version of `kube-dns` includes the `k8s-dns-dnsmasq-nanny-amd64` container.
### Kuberentes Versions 1.6.x and higher
#### Installation of Hot Fix
Apply the update to the container:
```bash
kubectl set image deployment/kube-dns -n kube-system dnsmasq=gcr.io/google_containers/k8s-dns-dnsmasq-amd64:1.14.5
```
Validate the change was applied to the deployment:
```bash
kubectl get deployment -n kube-system kube-dns -o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
```
#### Validation
To verify that pods were deployed:
```bash
kubectl get pods -n kube-system -o custom-columns=NAME:.metadata.name,IMAGE:.spec.containers[*].image -l k8s-app=kube-dns
```
You should see version 1.14.5 for the k8s-dns-dnsmasq-nanny-amd64 container:
```console
NAME IMAGE
kube-dns-1100866048-3lqm0 gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5,gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5,gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5
kube-dns-1100866048-tjlv2 gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5,gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5,gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5
```
### Kuberentes Versions 1.4.x - 1.5.x
Check to see if you have the new configmap for kube-dns. A configmap is required
for the 1.14.5 containers, and kube-dns will _NOT_ start without the configmap.
#### Installation of Dependencies
```console
kubectl -n kube-system get configmap kube-dns
```
If the configmap does not exist create an empty configmap.
#### Installation of Hot Fix
```bash
kubectl create configmap -n kube-system kube-dns
```
Upgrade the kube-dns container to the new version.
```bash
kubectl set image deployment/kube-dns -n kube-system dnsmasq=gcr.io/google_containers/k8s-dns-dnsmasq-amd64:1.14.5
```
Validate the change was applied to the deployment:
```bash
kubectl get deployment -n kube-system kube-dns -o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
```
To verify that pods were deployed:
```bash
kubectl get pods -n kube-system -o custom-columns=NAME:.metadata.name,IMAGE:.spec.containers[*].image -l k8s-app=kube-dns
```
You should see version 1.14.5 for the dnsmasq pod
_TODO_ if someone wants to provide the output.
## More Information
- [Kubernetes Security Blog Post](https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html)
- [CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14491)
- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2017-14491)
## Thanks
Thanks to @mikesplain, @chrislovecnm, @snoby, @justinsb, @3h4x