Support

Recent Kubernetes Security Disclosures for Dashboard and API Server Proxy

Share this post:

What’s happened?

There have been two security Kubernetes security disclosures on Friday, January 4, 2019. Here are the details of these disclosures and how to mitigate them while using the IBM Cloud Kubernetes Service.

1. Security Disclosure: Kubernetes Dashboard TLS Certificate Exposure

CVEID: CVE-2018-18264 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18264

Affected components: Kubernetes Dashboard

Affected versions: None

What do I need to know?

IBM Cloud Kubernetes Service users do not need to take any action. See mitigation info below.

Unauthenticated access to the Kubernetes dashboard console allows users to directly access the custom certificate secret being used by the Kubernetes dashboard application. This secret data can be used for man in the middle attacks.

How do I mitigate the issue?

Good news! IBM Cloud Kubernetes Service provides a standard configuration which protects customers from this vulnerability. The IBM Cloud Kubernetes Service kube-dashboard proxy provided by the IBM Cloud console is already secure because it requires authentication with the proxy prior to accessing the dashboard itself. In this scenario, only an admin can access the certs.

In addition, IBM Cloud Kubernetes Service includes the NetworkPolicy kubernetes-dashboard that explicitly prevents accessing the dashboard externally. This policy cannot be permanently removed. It is not possible to permanently remove this policy because IBM Cloud Kubernetes Service uses an addon-manager like service to recreate this policy in the event that it is removed. By default, the only way to access the dashboard is via the Kubernetes apiserver proxy which is access controlled.

IBM Cloud Kubernetes Service users are protected from this vulnerability via the base configuration of each Kubernetes cluster and the NetworkPolicy enforcement which prevents unauthenticated access to the Kubernetes dashboard.

As part of the regular update practices, IBM Cloud Kubernetes Service will be updating the Kubernetes dashboard automatically to version 1.10.1 which contains a patch for the unauthenticated access issue.

2. Security Disclosure: Kubernetes API server external IP address proxying

Affected components: Kubernetes API server

Affected versions: Kubernetes versions 1.5.x through 1.9.x

What do I need to know?

Kubernetes clusters which run the Master and Worker nodes in separate networks require enabling the API Server to proxy requests to external IP addresses.

How do I mitigate the issue?

Update your Kubernetes clusters to version 1.10 or later. The key to mitigation is to not allow proxy to external IPs. IBM Cloud Kubernetes Service runs v1.10.x API Servers with ServiceProxyAllowExternalIPs=false which mitigates this exposure. Kubernetes v1.11 and later mitigates this as it no longer allows proxy to external IPs regardless of configuration.

IBM Cloud Kubernetes Service does run the Kubernetes API Server in a network remote to the Worker nodes. However, IBM Cloud Kubernetes Service implements a VPN to allow the API Server to access the workers directly, which doesn’t require external IP addresses.

How do I check my version?

To see which Kubernetes versions the IBM Cloud Kubernetes Service has released:

ibmcloud ks kube-versions

To see which version your clusters are currently using:

ibmcloud ks clusters

What about unsupported clusters?

For 1.9.x or 1.8.x, you must update your cluster to a supported release:

ibmcloud ks cluster-update --cluster <clustername> --kube-version 1.10

Versions 1.5.x and 1.7.x are out of support and can no longer be updated to a current version of Kubernetes. You will need to create a new Kubernetes cluster and migrate your workload manually.

Questions or comments

Please join us on our public Slack channel at https://ibm-container-service.slack.com or raise a support ticket if you have any issues.

Distinguished Engineer, Site Reliability Engineering, IBM Cloud

More Support stories
January 23, 2019

Cloud Security State of the Union at Think 2019

Join us at Think 2019 to learn how IBM has continued to integrate security into all facets of it's business, from the hardware layer through to live container vulnerability scanning.

Continue reading

January 8, 2019

Sydney? Version 9.1.1? IBM MQ MFT? IBM MQ on Cloud Welcomes You with Open Arms

IBM MQ is now available in Sydney, Australia. Additionally, you can enjoy MQ 9.1.1 in the managed service by upgrading your queue managers manually or waiting until the automatic upgrade on February 6, 2019.

Continue reading

January 8, 2019

IBM DevOps Insights Team Dynamics is Now Live

Today, we're announcing the general availability of Team Dynamics in DevOps Insights. Team Dynamics provides qualitative answers to software delivery team leaders about how their teams are performing.

Continue reading