
Patch for critical privilege escalation flaw in Kubernetes - rapathak
https://groups.google.com/forum/m/#!topic/kubernetes-announce/GVllWCg6L88
======
coleca
Shame they aren't updating anything older than 1.10. 1.09 was released just a
year ago.

The commercial K8S vendors seem to be doing the patch all the way back. Smart
move by them to signal to the enterprise the value of using a commercially
supported K8S distribution over something like kops or kubeadm.

~~~
zegl
Kubernetes has a hard time defining itself sometimes, this behavior makes
sense if you think of Kubernetes as a kernel. You either run directly on the
kernel, or use a OS that adds features and LTS support to it.

I know however that there is a LTS-SIG that’s trying to figure out what
Kubernetes is, and for how long old releases should be supported.

------
bostonvaulter2
I don't really understand the fix:
[https://github.com/kubernetes/kubernetes/pull/71412/files](https://github.com/kubernetes/kubernetes/pull/71412/files)

I was expecting something that altered more rather than a bunch of length
checks. But I guess that's how security is sometimes.

------
merb
hm, so only people are affected that gave users access to specific permissions
that are not supposed to do everything. we only allow cluster access to people
that needed cluster-admin rights anyway..

for anybody else, we abstract k8s away.

~~~
web007
[https://github.com/kubernetes/kubernetes/issues/71411](https://github.com/kubernetes/kubernetes/issues/71411)
for more details, which includes:

    
    
      In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation.

