Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build/gci: bump CNI version to 0.7.5 - CVE-2019-9946 #75455

Merged
merged 1 commit into from Mar 18, 2019

Conversation

@dcbw
Copy link
Member

commented Mar 18, 2019

Update CI and other infrastructure to use the CNI plugins v0.7.5 to pick up fixes to portmap and other plugins. @thockin @bboreham @squeed @philips

/kind bug

NONE

Update from Brandon @philips of the Kubernetes Security Commitee:

A security issue was discovered with interactions between the CNI (Container Networking Interface) portmap plugin versions prior to 0.7.5 and Kubernetes. The CNI portmap plugin is embedded into Kubernetes releases so new releases of Kubernetes are required to fix this issue. The issue is Medium and upgrading to Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0 is encouraged to fix this issue if this plugin is used in your environment.

Am I vulnerable?

As this affects a Kubernetes plugin interface it is difficult to say with certainty without a complete understanding of your Kubernetes configuration. The issue was identified in a configuration of kube-proxy in IPVS mode along with a pod using a HostPort. However, other network configurations may use the CNI portmap plugin as well.

Run kubectl version --short | grep Server and if it does not say 1.11.9, 1.12.7, 1.13.5, and 1.14.0 or newer you are running a vulnerable version if paired with a CNI configuration that uses the portmap plugin.

How do I upgrade?

Follow your management tool or vendor instructions to upgrade to the latest release of Kubernetes.

Vulnerability Details

Before this fix the 'portmap' plugin, used to setup HostPorts for CNI, would insert rules at the front of the iptables nat chains; which would take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain.

Switching the portmap plugin to append its rules, rather than prepend, allows traffic to be processed by KUBE-SERVICES rules first. Only if traffic does not match a service will it be considered for HostPorts. This is compatible with the behavior of the legacy ‘kubenet’ network driver.

See the GitHub issue for details. #75455 and containernetworking/plugins#269

Thank you

Thank you to Etienne Champetier of Anevia for identifying the issue, Tim Hockin, Dan Williams, Casey Callendrello, Dujun, Tim Pepper, and the patch release managers for the coordination is making this release.

@spiffxp

This comment has been minimized.

Copy link
Member

commented Mar 18, 2019

/milestone v1.14
/priority important-soon

@spiffxp

This comment has been minimized.

Copy link
Member

commented Mar 18, 2019

/approve
for cluster and test

@thockin

This comment has been minimized.

Copy link
Member

commented Mar 18, 2019

I'm OK with updating this. I am a little dismayed at the state of automation around this. Maybe a 2019 effort to clean this up is in order :)

I'll approve now, but let's keep a close eye on tests, maybe force them to re-run a few times just to be sure.

/approve

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Mar 18, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dcbw, spiffxp, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@spiffxp

This comment has been minimized.

Copy link
Member

commented Mar 18, 2019

/lgtm

@dcbw

This comment has been minimized.

Copy link
Member Author

commented Mar 18, 2019

@thockin should we do-no-merge/hold until we soak it a couple times? I don't recall the exact / incantation, and I can't manually add/remove labels through github for some reason, so I'll leave that determination to you...

@k8s-ci-robot k8s-ci-robot merged commit 39277cd into kubernetes:master Mar 18, 2019

16 of 17 checks passed

pull-kubernetes-local-e2e Job triggered.
Details
cla/linuxfoundation dcbw authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-godeps Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details
@dcbw

This comment has been minimized.

Copy link
Member Author

commented Mar 18, 2019

OK, I guess we missed the do-no-merge/hold window to soak this a couple times... yay for CNI API stability? :)

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Mar 19, 2019

@dcbw: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-local-e2e bfd8ad3 link /test pull-kubernetes-local-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@tpepper

This comment has been minimized.

Copy link
Contributor

commented Mar 19, 2019

This seems like a release note of "bump CNI version to 0.7.5" would have been in order.

@neolit123

This comment has been minimized.

Copy link
Member

commented Mar 20, 2019

@dcbw why are we backporting this bump?
if it's not a critical bug fix (e.g. panics, security fixes etc), we shouldn't backport such bumps.

cc @timothysc

@ncdc

This comment has been minimized.

Copy link
Member

commented Mar 20, 2019

@neolit123 this is against the master branch so it's not a backport?

@bboreham

This comment has been minimized.

Copy link
Contributor

commented Mar 20, 2019

Also it includes a security fix.

@neolit123

This comment has been minimized.

Copy link
Member

commented Mar 20, 2019

@ncdc there are some xref-ed cherry pick PRs above.

@bboreham

Also it includes a security fix.

it was not outlined in the PR.
where can we read more about it?

@bboreham

This comment has been minimized.

Copy link
Contributor

commented Mar 20, 2019

(a) I can't find the CVE and (b) I'm fairly sure it's embargoed. Sorry.

@timothysc

This comment has been minimized.

Copy link
Member

commented Mar 20, 2019

If it is a CVE then there would also be a cherry-pick.

@neolit123

This comment has been minimized.

Copy link
Member

commented Mar 20, 2019

ok, in that case we should bump this in the remaining locations - e.g. k8s debs and rpms.

k8s-ci-robot added a commit that referenced this pull request Mar 20, 2019
Merge pull request #75464 from philips/automated-cherry-pick-of-#7545…
…5-upstream-release-1.11

Automated cherry pick of #75455: build/gci: bump CNI version to 0.7.5
k8s-ci-robot added a commit that referenced this pull request Mar 21, 2019
Merge pull request #75462 from philips/automated-cherry-pick-of-#7545…
…5-upstream-release-1.13

Automated cherry pick of #75455: build/gci: bump CNI version to 0.7.5
k8s-ci-robot added a commit that referenced this pull request Mar 21, 2019
Merge pull request #75463 from philips/automated-cherry-pick-of-#7545…
…5-upstream-release-1.12

Automated cherry pick of #75455: build/gci: bump CNI version to 0.7.5
justinsb added a commit to justinsb/kops that referenced this pull request Mar 26, 2019
@justinsb justinsb referenced this pull request Mar 26, 2019
justinsb added a commit to justinsb/kops that referenced this pull request Mar 26, 2019
@mboersma mboersma referenced this pull request Mar 27, 2019
2 of 5 tasks complete
justinsb added a commit to justinsb/kops that referenced this pull request Mar 28, 2019

@philips philips changed the title build/gci: bump CNI version to 0.7.5 build/gci: bump CNI version to 0.7.5 - CVE-2019-9946 Mar 28, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.