A vulnerability in dnsmasq, used by kube-dns, requires an upgrade to the kube-dns component. This component is the default DNS component installed in Kubernetes. The vulnerability may be externally exploitable. Links below exist with the full detail of the CVE. This exploit is not a Kubernetes specific vulnerability but exists in dnsmasq.
kops
release 1.7.1 addresses this CVE. This version of kops
will upgrade and
create clusters. kops
1.8.0.alpha.1 release does not contain the required
changes, but when released 1.8.0.apha.2 will contain the required patches.
The kube-dns deployment will be automatically upgraded when kops update cluster
is executed. Replace my-cluster.example.com
with the name of your
cluster. If you are upgrading a Kubernetes 1.4.x or 1.5.x cluster you may need
to follow the instruction below to create a required confimap for kube-dns.
Upgrade command:
kops update cluster --yes --name my-cluster.example.com
Validate the change was applied to the deployment:
kubectl get deployment -n kube-system kube-dns \
-o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
The upgrade is will occur once the channels utilty picks up the change within a few minutes.
Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have been fully tested with
the new version of kube-dns
deployment. Other versions should function, but
upgrading to tested version is recommended. We have had 1.4.x users upgrade
successfully, but we cannot validate full production stability. Local testing
in a non-production environment is always recommended. We are not able to
quantify the risk of using a non-tested version.
We are planning to release in 1.8.x kops releases. 1.7.1 release is released with the needed changes. If you are using the 1.8.x alpha releases, we recommend applying the hotfixes.
kops Version | Fixed | Released | Will Fix | URL |
---|---|---|---|---|
1.7.1 | Y | Y | N/A | here |
master | Y | N | N/A | here |
1.8.0 | N | N | Y | N/A |
1.8.0.alpha.1 | N | Y | N | N/A |
1.7.0 | N | Y | N | N/A |
- Filed by @chrislovecnm #3512
The minimal fix is just to update the container for the pods using dnsmasq. You
are able to apply this fix without downtime. Hotfix instruction differ between
Kubernetes releases. The newer version of kube-dns
includes the
k8s-dns-dnsmasq-nanny-amd64
container.
Apply the update to the container:
kubectl set image deployment/kube-dns -n kube-system \
dnsmasq=gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5
Validate the change was applied to the deployment:
kubectl get deployment -n kube-system kube-dns \
-o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
To verify that pods were deployed:
kubectl get pods -n kube-system -o \
custom-columns=NAME:.metadata.name,IMAGE:.spec.containers[*].image \
-l k8s-app=kube-dns
You should see version 1.14.5 for the k8s-dns-dnsmasq-nanny-amd64 container:
NAME IMAGE
kube-dns-1100866048-3lqm0 gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5,gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5,gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5
kube-dns-1100866048-tjlv2 gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5,gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5,gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5
Check to see if you have the new configmap for kube-dns. A configmap is required for the 1.14.5 containers, and kube-dns will NOT start without the configmap.
kubectl -n kube-system get configmap kube-dns
If the configmap does not exist create an empty configmap.
kubectl create configmap -n kube-system kube-dns
Upgrade the kube-dns container to the new version.
kubectl set image deployment/kube-dns -n kube-system \
dnsmasq=gcr.io/google_containers/k8s-dns-dnsmasq-amd64:1.14.5
Validate the change was applied to the deployment:
kubectl get deployment -n kube-system kube-dns \
-o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
To verify that pods were deployed:
kubectl get pods -n kube-system -o \
custom-columns=NAME:.metadata.name,IMAGE:.spec.containers[*].image \
-l k8s-app=kube-dns
You should see version 1.14.5 for the dnsmasq pod
NAME IMAGE
kube-dns-4146767324-djthf gcr.io/google_containers/kubedns-amd64:1.9,gcr.io/google_containers/k8s-dns-dnsmasq-amd64:1.14.5,gcr.io/google_containers/dnsmasq-metrics-amd64:1.0,gcr.io/google_containers/exechealthz-amd64:1.2
kube-dns-4146767324-kloxi gcr.io/google_containers/kubedns-amd64:1.9,gcr.io/google_containers/k8s-dns-dnsmasq-amd64:1.14.5,gcr.io/google_containers/dnsmasq-metrics-amd64:1.0,gcr.io/google_containers/exechealthz-amd64:1.2
Thanks to all that helped @mikesplain, @chrislovecnm, @snoby, @justinsb, @3h4x, @aaronlevy