- Red Hat issued a critical security advisory and patches for a privilege escalation flaw affecting all Kubernetes-based products and services on Monday. The company emphasized "this is a big deal."
- The flaw in the open source system falls on an API server for management and orchestration that can be exploited to gain admin privileges to other machines in a cluster, opening the door for altering existing services or deploying nefarious code. It can also be used to compromise multiple running container instances — or pods — that are running on the same compute node as the pod a user has privileges to, affording read and write access to the host file system.
- Compared to prior issues, this vulnerability is more severe and broadly applicable, affecting every version since v1.0 and potentially every Kubernetes user, making it the first major security hole for the popular container orchestration system, according to Wei Lien Dang, VP of products for StackRox, in a statement provided to CIO Dive.
The scope of the flaw makes it surprising that it wasn't found sooner, Dang said. The greatest concern is that exploitation of the flaw is difficult to detect, appearing as authorized use.
The fix is a simple 37 lines of code — a testament to the "maturity and high quality" of Kubernetes' codebase, Dang said.
But a timely code fix doesn't necessarily address other factors that the flaw might affect, according to Red Hat, such as specialized integration points. The patch could also negatively affect certain workloads, causing a hit to performance, or even downtime.
Some customers will be less susceptible to the flaw, including companies that use managed Kubernetes offerings from providers such as Amazon Web Services, Microsoft Azure and Google Cloud Platform and companies with limited Kubernetes API server access to their network, according to Dang. Big providers such as Google Kubernetes Engine and Red Hat have already patched vulnerabilities.
Customers that manage Kubernetes themselves will be at greater risk, and timely upgrades will depend on their practices and processes. Many breaches have been the result of a company failing to patch a known vulnerability, and the onus will fall on security teams to execute the patch in a timely manner.
Businesses need to pay more attention to securing Kubernetes as it becomes "the OS of the cloud," or the de facto cloud-native orchestration platform, Dang said.
Open source supports many mission critical systems, and businesses packaging open source projects it into products need to be attentive to security risks for customers.
Overall, the disclosure and quick patch response "will generate greater trust and credibility in the platform given the way it was handled," according to Dang. Big providers demonstrated that they can identify, fix and patch the serious security issue in a timely manner.