We have released Kubernetes 1.7.14 <https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.7.md#v1714>, 1.8.9 <https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.8.md#v189>, and 1.9.4 <https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.9.md#v194> to address two security issues in the Kubernetes volume subsystem. We recommend all clusters update to one of these releases immediately.
In addition to upgrading, PodSecurityPolicy objects designed to limit container permissions must be modified to completely disable hostPath volumes <https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems>, as the allowedHostPaths feature does not restrict symlink creation and traversal. CVE-2017-1002101 This vulnerability allows containers using subpath volume mounts <https://kubernetes.io/docs/concepts/storage/volumes/#using-subpath> with any volume type (including non-privileged pods, subject to file permissions) to access files/directories outside of the volume, including the host’s filesystem. See Kubernetes issue #60813 <https://issue.k8s.io/60813> for details. Thanks to Maxim Ivanov for reporting this problem. CVE-2017-1002102 This vulnerability allows containers using a secret, configMap, projected or downwardAPI volume to trigger deletion of arbitrary files/directories from the nodes where they are running. See Kubernetes issue #60814 <https://issue.k8s.io/60814> for details. Thanks to Joel Smith of Red Hat for reporting this problem. As a reminder, if you find a security vulnerability in Kubernetes, please report it following the security disclosure process <https://kubernetes.io/security/>. Thanks, Jordan Liggitt (on behalf of the Kubernetes Product Security Team) -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
