Critical Vulnerability to be Fixed in Kubernetes 1.13

Issue allowed to get full control over the cluster of containers
06 December 2018   210

Kubernetes 1.13 released, in which developers have eliminated the vulnerability of the illegal privilege escalation. The bug allowed to get full control over the cluster of containers.

To exploit the breach, it was necessary to send a specially designed discovery request to the backend API, which left the network connection open. This allowed access to the API server and send arbitrary commands to it. At the same time, the backend perceived requests as being sent by the server.

In addition, all Kubernetes users, including those who failed to authenticate, could use this flaw. As it turned out, the problem "stretches" from version 1.0.

To fix it, you need to update Kubernetes to versions 1.10.11, 1.11.5, 1.12.3 and 1.13.0 or at least block anonymous access to the API using the option --anonymous-auth = false, and also revoke the rights to perform exec operations / attach / portforward.

New Kubernates 1.13 features:

  • The Container Storage interface has been stabilized to create plug-ins for various storage systems. The developers also stabilized a simplified interface for managing the Kubernetes cluster.
  • TAVS container distribution planner, as well as the Kubelet Device Plugin Registration service, which provides access to the Kubelet from plug-ins.
  • An experimental interface for creating plug-ins has been added, which allows integrating third-party monitoring systems into Kubernetes.
  • The status of beta versions was obtained by APIServer DryRun, the Kubectl Diff team and the ability to use local block devices as permanent data stores.
  • The default CoreDNS DNS server is now used.

 

Kubic to be Adapt for ARM64

Kubic environemnt is built on the basis of the openSUSE, Docker, Kubernetes and Salt
01 February 2019   223

The openSUSE developers reported providing support for the AArch64 architecture in the Kubic toolkit, which allows you to deploy and maintain a cluster for running applications in insulated containers. An iso image (1.1 GB) is available for download, providing a complete solution for creating CaaS systems (Container as a Service) on server boards with processors based on AArch64 architecture. The solution is assembled from a single code base, also used to form assemblies for the x86_64 architecture.

Of the editorial restrictions for AArch64, some packages that are specific to x86_64 systems are unavailable, for example, kubernetes-dashboard is not supported. The basic boot image is formed for 64-bit ARM boards with UEFI support with a sufficiently large amount of RAM (more than 1 GB), such as Overdrive 1000, D05 and ThunderX2. For boards without UEFI, such as Pine64 and Raspberry Pi 3, a separate MicroOS-based image was prepared (a stripped-down distribution with atomic installation of updates, setting up via cloud-init, read-only root section with Btrfs, runtime Podman / CRI-O and Docker ). It is possible to organize an automated installation on a large number of machines using the standard AutoYaST profile or to load nodes over the network (PXE / tftpboot).

The Kubic environment is built on the basis of the openSUSE distribution (Tumbleweed repository), the Docker toolkit, the Kubernetes cluster isolated container cluster orchestration platform, and the Salt centralized configuration management system. To manage the cluster, Velum interface is proposed, which allows you to deploy a Kubernetes-based cluster in one click and organize its management, including adding and removing nodes, monitoring failures, and determining update installation policies. Kubernetes is launched on nodes in virtual machines deployed based on libvirt or OpenStack. It supports the launch of containers prepared using the Docker toolkit. Container images are distributed as RPM packages.