Skip to main content

PodSecurityPolicy Admissions Plugin Vulnerability Found in Kubernetes

An admission plugin security vulnerability related to PodSecurityPolicies was patched with the release of Kubernetes v1.5.5. This vulnerability could allow users to make use of any PodSecurityPolicies object, including those they are not authorized to use.

Am I affected by this vulnerability?

This vulnerability only affects Kubernetes v1.5.0-1.5.4 and, more specifically, installations that do all of the following:

  • Enable the PodSecurityPolicy API (not enabled by default)
  • Enable the PodSecurityPolicy admission plugin (not enabled by default)
  • Use authorization to limit users' ability to use specific PodSecurityPolicy objects

As CoreOS Tectonic does not enable PodSecurityPolicies, Tectonic users who have not customized their setup are unaffected by this vulnerability.

How do I update automatically?

For users of Tectonic who enabled our experimental Operators, Kubernetes v1.5.5 is available as an automatic update for clusters running Tectonic v1.5.3-tectonic.1 and Tectonic v1.5.4-tectonic.1. To apply the update, navigate to the Cluster Settings page of your Tectonic Console and click "Check for updates" (or "Start Update" if the update is already downloaded).

For Tectonic 1.5.2-tectonic.2 clusters, in order to receive the update, users need to change their channel from alpha to tectonic-1.5 first before clicking the "Check for updates" button. This can be done by running:

$ kubectl replace -f -<<EOF
apiVersion: coreos.com/v1
appID: 6bc7b986-4654-4a0f-94b3-84ce6feb1db4
automaticUpdate: false
channel: tectonic-1.5
kind: ChannelOperatorConfig
metadata:
  name: default
  namespace: tectonic-system
server: https://tectonic.update.core-os.net
triggerUpdate: false
triggerUpdateCheck: false
updateCheckInterval: 2700
EOF

For any clusters running Tectonic v.1.5.2-tectonic.1 and older, there is no automatic upgrade path. As we move our experimental Operators to GA, we’re making upgrades between patch releases (and, eventually, minor releases) smoother and more consistent.

How do I manually fix affected clusters?

If you are unable to upgrade to Kubernetes v1.5.5, you must complete the following steps to overcome this vulnerability:

First, export existing PodSecurityPolicy objects:

$ kubectl get podsecuritypolicies -o yaml > psp.yaml

Next, review and delete any PodSecurityPolicy objects you do not want all pod-creating users to be able to use (NOTE: Privileged users that were making use of those policies will also lose access to those policies). For example:

$ kubectl delete podsecuritypolicies/my-privileged-policy

After upgrading to 1.5.5, re-create the exported PodSecurityPolicy objects:

$ kubectl create -f psp.yaml

If you have any problems with upgrading to CoreOS Tectonic v1.5.5 please contact the community support channels.

Security Release Process

This security patch release of Kubernetes is the first time that the new community organized Kubernetes security release process was exercised. This is an important step for the Kubernetes community and part of our ongoing effort to ensure Kubernetes is using all of the Core Infrastructure Initiative (CII) Best Practices. Thank you to everyone who helped make the security release process possible and to Jordan Liggitt for being the Product Security Team Fix Lead on this particular release.

If you would like to learn more about the Security Process there will also be a talk given by Brandon Philips and Jess Frazelle, co-authors of the process, at KubeCon EU next week.