build/gci: bump CNI version to 0.7.5 - CVE-2019-9946 #75455
Conversation
k8s-ci-robot
added
kind/bug
k8s-ci-robot
added
area/test
sig/testing
|
/milestone v1.14 |
k8s-ci-robot
added
the
priority/important-soon
k8s-ci-robot
removed
the
needs-priority
|
/approve |
|
I'm OK with updating this. I am a little dismayed at the state of automation around this. Maybe a 2019 effort to clean this up is in order :) I'll approve now, but let's keep a close eye on tests, maybe force them to re-run a few times just to be sure. /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dcbw, spiffxp, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
@thockin should we do-no-merge/hold until we soak it a couple times? I don't recall the exact / incantation, and I can't manually add/remove labels through github for some reason, so I'll leave that determination to you... |
|
OK, I guess we missed the do-no-merge/hold window to soak this a couple times... yay for CNI API stability? :) |
|
@dcbw: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
This seems like a release note of "bump CNI version to 0.7.5" would have been in order. |
|
@dcbw why are we backporting this bump? cc @timothysc |
|
@neolit123 this is against the |
|
Also it includes a security fix. |
|
(a) I can't find the CVE and (b) I'm fairly sure it's embargoed. Sorry. |
|
If it is a CVE then there would also be a cherry-pick. |
|
ok, in that case we should bump this in the remaining locations - e.g. k8s debs and rpms. |
…5-upstream-release-1.11 Automated cherry pick of #75455: build/gci: bump CNI version to 0.7.5
…5-upstream-release-1.13 Automated cherry pick of #75455: build/gci: bump CNI version to 0.7.5
…5-upstream-release-1.12 Automated cherry pick of #75455: build/gci: bump CNI version to 0.7.5
Equivalent of kubernetes/kubernetes#75455
Equivalent of kubernetes/kubernetes#75455
Equivalent of kubernetes/kubernetes#75455
philips
changed the title
10 participants
Update CI and other infrastructure to use the CNI plugins v0.7.5 to pick up fixes to portmap and other plugins. @thockin @bboreham @squeed @philips
/kind bug
Update from Brandon @philips of the Kubernetes Security Commitee:
A security issue was discovered with interactions between the CNI (Container Networking Interface) portmap plugin versions prior to 0.7.5 and Kubernetes. The CNI portmap plugin is embedded into Kubernetes releases so new releases of Kubernetes are required to fix this issue. The issue is Medium and upgrading to Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0 is encouraged to fix this issue if this plugin is used in your environment.
Am I vulnerable?
As this affects a Kubernetes plugin interface it is difficult to say with certainty without a complete understanding of your Kubernetes configuration. The issue was identified in a configuration of kube-proxy in IPVS mode along with a pod using a HostPort. However, other network configurations may use the CNI portmap plugin as well.
Run
kubectl version --short | grep Serverand if it does not say 1.11.9, 1.12.7, 1.13.5, and 1.14.0 or newer you are running a vulnerable version if paired with a CNI configuration that uses the portmap plugin.How do I upgrade?
Follow your management tool or vendor instructions to upgrade to the latest release of Kubernetes.
Vulnerability Details
Before this fix the 'portmap' plugin, used to setup HostPorts for CNI, would insert rules at the front of the iptables nat chains; which would take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain.
Switching the portmap plugin to append its rules, rather than prepend, allows traffic to be processed by KUBE-SERVICES rules first. Only if traffic does not match a service will it be considered for HostPorts. This is compatible with the behavior of the legacy ‘kubenet’ network driver.
See the GitHub issue for details. #75455 and containernetworking/plugins#269
Thank you
Thank you to Etienne Champetier of Anevia for identifying the issue, Tim Hockin, Dan Williams, Casey Callendrello, Dujun, Tim Pepper, and the patch release managers for the coordination is making this release.