Support

Recent Kubernetes Security Disclosures for Dashboard and API Server Proxy

Share this post:

What’s happened?

There have been two security Kubernetes security disclosures on Friday, January 4, 2019. Here are the details of these disclosures and how to mitigate them while using the IBM Cloud Kubernetes Service.

1. Security Disclosure: Kubernetes Dashboard TLS Certificate Exposure

CVEID: CVE-2018-18264 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18264

Affected components: Kubernetes Dashboard

Affected versions: None

What do I need to know?

IBM Cloud Kubernetes Service users do not need to take any action. See mitigation info below.

Unauthenticated access to the Kubernetes dashboard console allows users to directly access the custom certificate secret being used by the Kubernetes dashboard application. This secret data can be used for man in the middle attacks.

How do I mitigate the issue?

Good news! IBM Cloud Kubernetes Service provides a standard configuration which protects customers from this vulnerability. The IBM Cloud Kubernetes Service kube-dashboard proxy provided by the IBM Cloud console is already secure because it requires authentication with the proxy prior to accessing the dashboard itself. In this scenario, only an admin can access the certs.

In addition, IBM Cloud Kubernetes Service includes the NetworkPolicy kubernetes-dashboard that explicitly prevents accessing the dashboard externally. This policy cannot be permanently removed. It is not possible to permanently remove this policy because IBM Cloud Kubernetes Service uses an addon-manager like service to recreate this policy in the event that it is removed. By default, the only way to access the dashboard is via the Kubernetes apiserver proxy which is access controlled.

IBM Cloud Kubernetes Service users are protected from this vulnerability via the base configuration of each Kubernetes cluster and the NetworkPolicy enforcement which prevents unauthenticated access to the Kubernetes dashboard.

As part of the regular update practices, IBM Cloud Kubernetes Service will be updating the Kubernetes dashboard automatically to version 1.10.1 which contains a patch for the unauthenticated access issue.

2. Security Disclosure: Kubernetes API server external IP address proxying

Affected components: Kubernetes API server

Affected versions: Kubernetes versions 1.5.x through 1.9.x

What do I need to know?

Kubernetes clusters which run the Master and Worker nodes in separate networks require enabling the API Server to proxy requests to external IP addresses.

How do I mitigate the issue?

Update your Kubernetes clusters to version 1.10 or later. The key to mitigation is to not allow proxy to external IPs. IBM Cloud Kubernetes Service runs v1.10.x API Servers with ServiceProxyAllowExternalIPs=false which mitigates this exposure. Kubernetes v1.11 and later mitigates this as it no longer allows proxy to external IPs regardless of configuration.

IBM Cloud Kubernetes Service does run the Kubernetes API Server in a network remote to the Worker nodes. However, IBM Cloud Kubernetes Service implements a VPN to allow the API Server to access the workers directly, which doesn’t require external IP addresses.

How do I check my version?

To see which Kubernetes versions the IBM Cloud Kubernetes Service has released:

ibmcloud ks kube-versions

To see which version your clusters are currently using:

ibmcloud ks clusters

What about unsupported clusters?

For 1.9.x or 1.8.x, you must update your cluster to a supported release:

ibmcloud ks cluster-update --cluster <clustername> --kube-version 1.10

Versions 1.5.x and 1.7.x are out of support and can no longer be updated to a current version of Kubernetes. You will need to create a new Kubernetes cluster and migrate your workload manually.

Questions or comments

Please join us on our public Slack channel at https://ibm-container-service.slack.com or raise a support ticket if you have any issues.

Distinguished Engineer, Site Reliability Engineering, IBM Cloud

More Support stories
March 12, 2019

Introducing MFA for IBM Cloud Users with Federated ID

We are excited to deliver a highly requested feature to our IBM Cloud account owners that supports multifactor authentication (MFA) for federated IDs.

Continue reading

March 12, 2019

Expanding Data Warehouse Capabilities for the IBM Hybrid Data Management Platform

The IBM Hybrid Data Management Platform is expanding capabilities with both the Flex and Hybrid Flex plans. These two types of warehousing solutions will help you optimize your hybrid cloud architectures in terms of both performance and cost-savings

Continue reading

March 5, 2019

Deprecating IBM Workload Scheduler on IBM Cloud

We are announcing the deprecation of the IBM Workload Scheduler on IBM Cloud service on March 31, 2019. We are also offering the option to migrate to IBM Workload Automation on Cloud for all customers who are currently using IBM Workload Scheduler.

Continue reading