Kubernetes Has a ‘Windows Running as Root’ Problem

Windows workloads running as a Kubernetes Container Administrator when it’s expressly forbidden? That’s unexpected.
We all know that one of the dumbest things you can do is run containers with root privileges. It doesn’t stop people from doing it, but at least they usually know they’re asking for trouble. Now, the Kubernetes Security Response Committee has reported a security bug, CVE-2021-25749, that enabled Windows workloads to run as Kubernetes Container Administrator in their containers even when the runAsNonRoot option is set to true.
Whoops!
The Problem
Specifically, the problem is that a “security issue” was discovered in Kubernetes that could allow Windows workloads to run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true. You can spot if someone is trying to exploit this by checking your Kubernetes Audit logs for misspelled user names. These might be proof of someone trying to bypass the user pod restriction. If you find evidence of such an exploit, please contact security@kubernetes.io.
While the problem isn’t that bad — it has a low Common Vulnerability Scoring System (CVSS) rating of 3.4 — it’s still worrisome. Red Hat thinks it’s a bit nastier than that, with a CVSS score of 3.8. Still, Red Hat’s security team notes that both its attack complexity and the privileges required to pull off an attack with it are high.
Unfortunately, there is no way to mitigate it. It affects the following Kubelet versions.
- kubelet v1.20 – v1.21
- kubelet v1.22.0 – v1.22.13
- kubelet v1.23.0 – v1.23.10
- kubelet v1.24.0 – v1.24.4
The Fix
But there is a simple fix. Just upgrade to the next version. These are:
- kubelet v1.22.14
- kubelet v1.23.11
- kubelet v1.23.5
- kubelet v1.25.0
To pull this off, you’ll need to follow the instructions on how to upgrade a Kubernetes cluster.
That done, you can leave this worry aside and go back to doing your regularly scheduled battle with Kubernetes clusters.