4.6 KiB
CVE-2017-14491
A vulnerability in dnsmasq, used by kube-dns, requires an upgrade to the kube-dns component. This component is the default DNS component installed in Kubernetes. The vulnerability may be externally exploitable. Links below exist with the full detail of the CVE. This is not a Kubernetes specific vunerability, but exists in dnsmasq.
Current kops Status
As of 2017/10/08 kops fixes are not in a released kops version, but you are
able to hotfix any Kubernetes cluster that is 1.4.x or higher.
Tested Kubernetes Versions
Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have been fully tested with the new version of kube-dns deployment. Other versions should function, but upgrading
to fully tested version is recommend. We have had 1.4.x users upgrade successfully,
but we cannot validate full production stability. Local testing in a non-production
environment is always recommended. We are not able to quatify the risk of using
a non-tested version.
Fixed kops releases
We are planning releasing fixes in both new 1.7.x and 1.8.x kops releases. Fixes are in master, but not yet released as of 2017/10/08. We will update this document when releases are available. You are able to continue to use kops, and apply the hotfix. kops should not downgrade the hotfix.
Fixed kops Version Matrix
| kops Version | Fixed | Released | Will Fix | URL |
|---|---|---|---|---|
| master | Y | N | N/A | here |
| 1.8.0 | N | N | Y | N/A |
| 1.8.0.alpha.1 | N | Y | N | N/A |
| 1.7.1 | Y | N | N | N/A |
| 1.7.0 | N | Y | N | N/A |
kops PR fixes
kops Tracking Issue
- Filed by @chrislovecnm #3512
Hotfix Instructions
The minimal fix is to just update the container for the pods using dnsmasq. You are able to apply this fix without downtime. Hot fix instruction differ between Kuberentes releases. The newer version of kube-dns includes the k8s-dns-dnsmasq-nanny-amd64 container.
Kuberentes Versions 1.6.x and higher
Installation of Hot Fix
Apply the update to the container:
kubectl set image deployment/kube-dns -n kube-system dnsmasq=gcr.io/google_containers/k8s-dns-dnsmasq-amd64:1.14.5
Validate the change was applied to the deployment:
kubectl get deployment -n kube-system kube-dns -o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
Validation
To verify that pods were deployed:
kubectl get pods -n kube-system -o custom-columns=NAME:.metadata.name,IMAGE:.spec.containers[*].image -l k8s-app=kube-dns
You should see version 1.14.5 for the k8s-dns-dnsmasq-nanny-amd64 container:
NAME IMAGE
kube-dns-1100866048-3lqm0 gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5,gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5,gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5
kube-dns-1100866048-tjlv2 gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5,gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5,gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5
Kuberentes Versions 1.4.x - 1.5.x
Check to see if you have the new configmap for kube-dns. A configmap is required for the 1.14.5 containers, and kube-dns will NOT start without the configmap.
Installation of Dependencies
kubectl -n kube-system get configmap kube-dns
If the configmap does not exist create an empty configmap.
Installation of Hot Fix
kubectl create configmap -n kube-system kube-dns
Upgrade the kube-dns container to the new version.
kubectl set image deployment/kube-dns -n kube-system dnsmasq=gcr.io/google_containers/k8s-dns-dnsmasq-amd64:1.14.5
Validate the change was applied to the deployment:
kubectl get deployment -n kube-system kube-dns -o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
To verify that pods were deployed:
kubectl get pods -n kube-system -o custom-columns=NAME:.metadata.name,IMAGE:.spec.containers[*].image -l k8s-app=kube-dns
You should see version 1.14.5 for the dnsmasq pod
TODO if someone wants to provide the output.
More Information
Thanks
Thanks to @mikesplain, @chrislovecnm, @snoby, @justinsb, @3h4x