Kubernetes news: Critical vulnerability discovered; New Relic announces Kubernetes cluster explorer

Critical bug scores 9.8 out of 10 for seriousness. Patches are available.

A critical vulnerability has been discovered in the container orchestration platform Kubernetes.

CVE-2018-1002105 is a privilege escalation flaw that allows unauthorised users to change their administration rights. By connecting to pods via the Kubernetes API they could potentially access secrets, pods, environment variables, running processes in pods and containers and persistent volumes, including in privileged containers.

"With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection," says developer ‘liggit' on the Kubernetes GitHub pages.

While no incidents of the vulnerability being exploited have been reported, the scope for serious damage to be done garners it a CVSS score of 9.8 out of a possible 10 in terms of seriousness. In addition, it is difficult to check whether the vulnerability has been exploited because unauthorised requests are made over an established connection so they do not appear in the Kubernetes API server audit logs or server log. Organisations running Kubernetes are urged to patch their installations without delay.

The vulnerability was discovered by Darren Shepherd and announced last week; all versions of Kubernetes are affected. Patches for various Kubernetes versions are available.

In other news, New Relic has announced a new Kubernetes monitoring solution, to be released in 2019. The firm claims Kubernetes cluster explorer will offer "a bird's-eye view of a customer's entire Kubernetes environment as well as the ability to dive deep into the performance of individual pods and nodes".

In a press release from New Relic, Adam Bovill, director of engineering at car-sharing marketplace Turo says: "It will allow our teams to easily manage the performance of our entire Kubernetes cluster in production. Not only that, it will provide us with the ability to quickly drill down and see inside containers to get a code-centric view of our applications, so we can quickly discover issues inside of our clusters."