Recent Kubernetes Security Disclosures for Dashboard and API Server Proxy

Share this post:

What’s happened?

There have been two security Kubernetes security disclosures on Friday, January 4, 2019. Here are the details of these disclosures and how to mitigate them while using the IBM Cloud Kubernetes Service.

1. Security Disclosure: Kubernetes Dashboard TLS Certificate Exposure

CVEID: CVE-2018-18264

Affected components: Kubernetes Dashboard

Affected versions: None

What do I need to know?

IBM Cloud Kubernetes Service users do not need to take any action. See mitigation info below.

Unauthenticated access to the Kubernetes dashboard console allows users to directly access the custom certificate secret being used by the Kubernetes dashboard application. This secret data can be used for man in the middle attacks.

How do I mitigate the issue?

Good news! IBM Cloud Kubernetes Service provides a standard configuration which protects customers from this vulnerability. The IBM Cloud Kubernetes Service kube-dashboard proxy provided by the IBM Cloud console is already secure because it requires authentication with the proxy prior to accessing the dashboard itself. In this scenario, only an admin can access the certs.

In addition, IBM Cloud Kubernetes Service includes the NetworkPolicy kubernetes-dashboard that explicitly prevents accessing the dashboard externally. This policy cannot be permanently removed. It is not possible to permanently remove this policy because IBM Cloud Kubernetes Service uses an addon-manager like service to recreate this policy in the event that it is removed. By default, the only way to access the dashboard is via the Kubernetes apiserver proxy which is access controlled.

IBM Cloud Kubernetes Service users are protected from this vulnerability via the base configuration of each Kubernetes cluster and the NetworkPolicy enforcement which prevents unauthenticated access to the Kubernetes dashboard.

As part of the regular update practices, IBM Cloud Kubernetes Service will be updating the Kubernetes dashboard automatically to version 1.10.1 which contains a patch for the unauthenticated access issue.

2. Security Disclosure: Kubernetes API server external IP address proxying

Affected components: Kubernetes API server

Affected versions: Kubernetes versions 1.5.x through 1.9.x

What do I need to know?

Kubernetes clusters which run the Master and Worker nodes in separate networks require enabling the API Server to proxy requests to external IP addresses.

How do I mitigate the issue?

Update your Kubernetes clusters to version 1.10 or later. The key to mitigation is to not allow proxy to external IPs. IBM Cloud Kubernetes Service runs v1.10.x API Servers with ServiceProxyAllowExternalIPs=false which mitigates this exposure. Kubernetes v1.11 and later mitigates this as it no longer allows proxy to external IPs regardless of configuration.

IBM Cloud Kubernetes Service does run the Kubernetes API Server in a network remote to the Worker nodes. However, IBM Cloud Kubernetes Service implements a VPN to allow the API Server to access the workers directly, which doesn’t require external IP addresses.

How do I check my version?

To see which Kubernetes versions the IBM Cloud Kubernetes Service has released:

ibmcloud ks kube-versions

To see which version your clusters are currently using:

ibmcloud ks clusters

What about unsupported clusters?

For 1.9.x or 1.8.x, you must update your cluster to a supported release:

ibmcloud ks cluster-update --cluster <clustername> --kube-version 1.10

Versions 1.5.x and 1.7.x are out of support and can no longer be updated to a current version of Kubernetes. You will need to create a new Kubernetes cluster and migrate your workload manually.

Questions or comments

Please join us on our public Slack channel at or raise a support ticket if you have any issues.

Distinguished Engineer, Site Reliability Engineering, IBM Cloud

More Support stories
May 6, 2019

Use IBM Cloud Certificate Manager to Obtain Let’s Encrypt TLS Certificates for Your Public Domains

IBM Cloud Certificate Manager now lets you obtain TLS certificates signed by Let’s Encrypt. Let’s Encrypt is an automated, ACME-protocol-based CA that issues free certificates valid for 90 days.

Continue reading

April 30, 2019

Introducing IBM Analytics Engine v1.2 and Announcing the Deprecation of IBM Analytics Engine v1.0

We are excited to inform you about the new version of IBM Analytics Engine v1.2 that will be available starting May 15, 2019. Along with this release, Analytics Engine v1.0 will be retired.

Continue reading

April 23, 2019

Announcing the Deprecation of the Watson Machine Learning JSON Token Authentication Service

We’d like to inform you about the deprecation of the Watson Machine Learning JSON Token Authentication service. This method of authentication will be retired on May 30, 2019.

Continue reading