As Red Hat’s Ashesh Badani wrote, “This is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall.”
Kubernetes says its new release 1.13 addresses the privilege escalation flaw, dubbed CVE-2018-1002105. And other companies including Red Hat and Microsoft issued patches for their Kubernetes-based products.
Microsoft’s Azure Kubernetes Service “has patched all affected clusters by overriding the default Kubernetes configuration to remove unauthenticated access to the entry points that exposed the vulnerability,” the company said in a blog.
Meanwhile, Kubernetes 1.13 is short and sweet. It’s the fourth and final release of the year, and “one of the shortest releases to date at 10 weeks,” according to the release team. It focuses on storage and cluster lifecycle and adds simplified cluster management with kubeadm, Container Storage Interface (CSI), and CoreDNS as the default DNS.
Kubeadm, a tool for managing the cluster lifecycle is now generally available in 1.13. It handles the bootstrapping of production clusters on existing hardware and configuring the core Kubernetes components.
The Container Storage Interface (CSI) is also now generally available. It allows third-party storage providers to write plugins that interoperate with Kubernetes without having to touch the core code.
And finally, in 1.13, CoreDNS replaces kube-dns as the default DNS server for Kubernetes.