Hacker News new | past | comments | ask | show | jobs | submit login
Patch for critical privilege escalation flaw in Kubernetes (groups.google.com)
54 points by rapathak on Dec 4, 2018 | hide | past | favorite | 8 comments

Shame they aren't updating anything older than 1.10. 1.09 was released just a year ago.

The commercial K8S vendors seem to be doing the patch all the way back. Smart move by them to signal to the enterprise the value of using a commercially supported K8S distribution over something like kops or kubeadm.

Kubernetes has a hard time defining itself sometimes, this behavior makes sense if you think of Kubernetes as a kernel. You either run directly on the kernel, or use a OS that adds features and LTS support to it.

I know however that there is a LTS-SIG that’s trying to figure out what Kubernetes is, and for how long old releases should be supported.

Yeah, that's a bit worrying, k8s needs to take security very seriously. if your k8s cluster get's compromised, it's all your machines & apps getting compromised at the exact time. This is worse than a typical remote exploit that might give access to one server or app.

If you're using something like kops or kubeadm, chances are you're on the latest anyway and updating will take you all of an hour and zero downtime.

The Kubernetes project is pretty explicit about only supporting 3 minor versions back, which gives you a full 3 quarters to figure out if the changes break anything you have deployed and fix those cases. If that's too fast, you're probably an Enterprise anyway and uncomfortable with anything but vendor support.

1.09 was released just a year ago.

Quite normal in this space, see Docker for example.

I don't really understand the fix: https://github.com/kubernetes/kubernetes/pull/71412/files

I was expecting something that altered more rather than a bunch of length checks. But I guess that's how security is sometimes.

hm, so only people are affected that gave users access to specific permissions that are not supposed to do everything. we only allow cluster access to people that needed cluster-admin rights anyway..

for anybody else, we abstract k8s away.

https://github.com/kubernetes/kubernetes/issues/71411 for more details, which includes:

  In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact