CVE-2017-14491 ¶
A vulnerability in dnsmasq, used by kube-dns, requires an upgrade to the kube-dns component. This component is the default DNS component installed in Kubernetes. The vulnerability may be externally exploitable. Links below exist with the full detail of the CVE. This exploit is not a Kubernetes specific vulnerability but exists in dnsmasq.
Current kOps Status ¶
kops
release 1.7.1 addresses this CVE. This version of kops
will upgrade and
create clusters. kops
1.8.0.alpha.1 release does not contain the required
changes, but when released 1.8.0.apha.2 will contain the required patches.
Upgrading Cluster ¶
The kube-dns deployment will be automatically upgraded when kops update
cluster
is executed. Replace my-cluster.example.com
with the name of your
cluster. If you are upgrading a Kubernetes 1.4.x or 1.5.x cluster you may need
to follow the instruction below to create a required configmap for kube-dns.
Upgrade command:
kops update cluster --yes --name my-cluster.example.com
Validate the change was applied to the deployment:
kubectl get deployment -n kube-system kube-dns \
-o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
The upgrade will occur once the channels utility picks up the change within a few minutes.
Tested Kubernetes Versions ¶
Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have been fully tested with
the new version of kube-dns
deployment. Other versions should function, but
upgrading to tested version is recommended. We have had 1.4.x users upgrade
successfully, but we cannot validate full production stability. Local testing
in a non-production environment is always recommended. We are not able to
quantify the risk of using a non-tested version.
Fixed kOps releases ¶
We are planning to release in 1.8.x kOps releases. 1.7.1 release is released with the needed changes. If you are using the 1.8.x alpha releases, we recommend applying the hotfixes.
Fixed kOps Version Matrix ¶
kOps Version | Fixed | Released | Will Fix | URL |
---|---|---|---|---|
1.7.1 | Y | Y | Not Applicable | here |
master | Y | N | Not Applicable | here |
1.8.0 | N | N | Y | Not Applicable |
1.8.0.alpha.1 | N | Y | N | Not Applicable |
1.7.0 | N | Y | N | Not Applicable |
kOps PR fixes ¶
kOps Tracking Issue ¶
- Filed by @chrislovecnm #3512
Hotfix Instructions ¶
The minimal fix is just to update the container for the pods using dnsmasq. You
are able to apply this fix without downtime. Hotfix instruction differ between
Kubernetes releases. The newer version of kube-dns
includes the
k8s-dns-dnsmasq-nanny-amd64
container.
Kubernetes Versions 1.6.x and higher ¶
Installation of Hot Fix ¶
Apply the update to the container:
kubectl set image deployment/kube-dns -n kube-system \
dnsmasq=k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64:1.14.5
Validate the change was applied to the deployment:
kubectl get deployment -n kube-system kube-dns \
-o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
Validation ¶
To verify that pods were deployed:
kubectl get pods -n kube-system -o \
custom-columns=NAME:.metadata.name,IMAGE:.spec.containers[*].image \
-l k8s-app=kube-dns
You should see version 1.14.5 for the k8s-dns-dnsmasq-nanny-amd64 container:
NAME IMAGE
kube-dns-1100866048-3lqm0 k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64:1.14.5,k8s.gcr.io/k8s-dns-kube-dns-amd64:1.14.5,k8s.gcr.io/k8s-dns-sidecar-amd64:1.14.5
kube-dns-1100866048-tjlv2 k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64:1.14.5,k8s.gcr.io/k8s-dns-kube-dns-amd64:1.14.5,k8s.gcr.io/k8s-dns-sidecar-amd64:1.14.5
Kubernetes Versions 1.4.x - 1.5.x ¶
Check to see if you have the new configmap for kube-dns. A configmap is required for the 1.14.5 containers, and kube-dns will NOT start without the configmap.
Installation of Dependencies ¶
kubectl -n kube-system get configmap kube-dns
If the configmap does not exist create an empty configmap.
Installation of Hot Fix ¶
kubectl create configmap -n kube-system kube-dns
Upgrade the kube-dns container to the new version.
kubectl set image deployment/kube-dns -n kube-system \
dnsmasq=k8s.gcr.io/k8s-dns-dnsmasq-amd64:1.14.5
Validate the change was applied to the deployment:
kubectl get deployment -n kube-system kube-dns \
-o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
kubectl get pods -n kube-system -o \
custom-columns=NAME:.metadata.name,IMAGE:.spec.containers[*].image \
-l k8s-app=kube-dns
You should see version 1.14.5 for the dnsmasq pod
NAME IMAGE
kube-dns-4146767324-djthf k8s.gcr.io/kubedns-amd64:1.9,k8s.gcr.io/k8s-dns-dnsmasq-amd64:1.14.5,k8s.gcr.io/dnsmasq-metrics-amd64:1.0,k8s.gcr.io/exechealthz-amd64:1.2
kube-dns-4146767324-kloxi k8s.gcr.io/kubedns-amd64:1.9,k8s.gcr.io/k8s-dns-dnsmasq-amd64:1.14.5,k8s.gcr.io/dnsmasq-metrics-amd64:1.0,k8s.gcr.io/exechealthz-amd64:1.2
More Information ¶
Thanks ¶
Thanks to all that helped @mikesplain, @chrislovecnm, @snoby, @justinsb, @3h4x, @aaronlevy