Skip to main content
All posts tagged “security”

With the release of Kubernetes 1.8, role-based access control (RBAC) has been promoted from beta to general availability. CoreOS, through our participation in the Kubernetes SIG Auth group, played a significant role in getting RBAC implemented in upstream Kubernetes. With its graduation to general availability, the feature and its core APIs can be considered stable.

Security researchers have recently discovered multiple remotely exploitable vulnerabilities affecting all users of Kubernetes 1.5.0 through 1.7.6. While the risk of an attacker successfully exploiting these flaws is relatively low, the vulnerabilities could potentially allow arbitrary code execution or DoS attacks and thus demand immediate attention. CoreOS Tectonic users can be assured, however, that patches are now available and can be applied with a single click or automatically, if configured.

Today, along with the rest of the Kubernetes community, we’re cheering the release of Kubernetes 1.8. The momentum within the community continues to grow as organizations embrace Kubernetes as the leading platform for container orchestration, and this release continues the Kubernetes community's commitment to security and extensibility with work on stabilizing existing features, even as new ones are added.

I'm often asked why we started CoreOS. I've written before about our mission to secure the internet. Recently, I was challenged further: Why do you care about securing the internet? This question gets at the heart of CoreOS, and deserves a well articulated answer. Securing the internet is key to preserving our privacy, and ultimately our freedoms.

Background on the Stack Clash

Security researchers at Qualys recently disclosed new techniques to exploit stack allocations on several operating systems, even in the face of a number of security measures. Qualys was able to find numerous local-root exploits — exploits which allow local users of a system to gain root privileges — by applying stack allocation techniques against various pieces of userspace software.

An admission plugin security vulnerability related to PodSecurityPolicies was patched with the release of Kubernetes v1.5.5. This vulnerability could allow users to make use of any PodSecurityPolicies object, including those they are not authorized to use.

Am I affected by this vulnerability?

This vulnerability only affects Kubernetes v1.5.0-1.5.4 and, more specifically, installations that do all of the following:

A critical security bug has been found and fixed in Kubernetes TLS client authentication. This vulnerability affects Kubernetes v1.4.2 and older, and has been fixed in Kubernetes v1.4.3 and higher.

Identifying Affected Systems

To determine if a Kubernetes cluster is currently running a vulnerable version, run:

Update 2 (May 19): Read the post-mortem blog post dissecting this vulnerability and the CoreOS response

Update 1 (May 16 04:28 PDT): 99% of affected hosts have been updated

We are happy to announce that Quay Security Scanner is now available in the latest release (v1.16.0) of Quay Enterprise, the on-premises version of the Quay container registry by CoreOS. This release marks the Quay Security Scanner feature as enterprise ready. When this feature is enabled in Quay Enterprise, all container images in the registry are indexed and cross-referenced against public vulnerability databases.

You may have heard that the open source project Clair by CoreOS recently released version 1.0. If you’ve been following along, you may also know that Quay’s Security Scanner, a container registry feature that analyzes container images for known vulnerabilities, is based on Clair. Quay Security Scanner now has an entirely new interface atop the Clair 1.0 APIs and PostgreSQL backend.

Subscribe to security