TNS
VOXPOP
How has the recent turmoil within the OpenAI offices changed your plans to use GPT in a business process or product in 2024?
Increased uncertainty means we are more likely to evaluate alternative AI chatbots and LLMs.
0%
No change in plans, though we will keep an eye on the situation.
0%
With Sam Altman back in charge, we are more likely to go all-in with GPT and LLMs.
0%
What recent turmoil?
0%
Kubernetes / Security

Kubernetes Has a ‘Windows Running as Root’ Problem

A new security issue has been discovered in Kubernetes that could allow Windows workloads to run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true.
Sep 29th, 2022 6:43am by
Featued image for: Kubernetes Has a ‘Windows Running as Root’ Problem

Windows workloads running as a Kubernetes Container Administrator when it’s expressly forbidden? That’s unexpected.

We all know that one of the dumbest things you can do is run containers with root privileges. It doesn’t stop people from doing it, but at least they usually know they’re asking for trouble. Now, the Kubernetes Security Response Committee has reported a security bug, CVE-2021-25749, that enabled Windows workloads to run as Kubernetes Container Administrator in their containers even when the runAsNonRoot option is set to true.

Whoops!

The Problem

Specifically, the problem is that a “security issue” was discovered in Kubernetes that could allow Windows workloads to run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true. You can spot if someone is trying to exploit this by checking your Kubernetes Audit logs for misspelled user names. These might be proof of someone trying to bypass the user pod restriction. If you find evidence of such an exploit, please contact security@kubernetes.io.

While the problem isn’t that bad — it has a low Common Vulnerability Scoring System (CVSS) rating of 3.4 — it’s still worrisome. Red Hat thinks it’s a bit nastier than that, with a CVSS score of 3.8. Still, Red Hat’s security team notes that both its attack complexity and the privileges required to pull off an attack with it are high.

Unfortunately, there is no way to mitigate it. It affects the following Kubelet versions.

  • kubelet v1.20 – v1.21
  • kubelet v1.22.0 – v1.22.13
  • kubelet v1.23.0 – v1.23.10
  • kubelet v1.24.0 – v1.24.4

The Fix

But there is a simple fix. Just upgrade to the next version. These are:

  • kubelet v1.22.14
  • kubelet v1.23.11
  • kubelet v1.23.5
  • kubelet v1.25.0

To pull this off, you’ll need to follow the instructions on how to upgrade a Kubernetes cluster.

That done, you can leave this worry aside and go back to doing your regularly scheduled battle with Kubernetes clusters.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.