Kubernetes v1.10.11, v1.11.5, and v1.12.3 have been released to address CVE-2018-1002105, a critical security issue present in all previous versions of the Kubernetes API Server. The issue is also addressed in the upcoming v1.13.0 release. We recommend all clusters running previous versions update to one of these releases immediately.
This vulnerability allows specially crafted requests to establish a connection through the Kubernetes API server to backend servers (such as aggregated API servers and kubelets), then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection.
See Kubernetes issue #71411 for details.
Thanks to Darren Shepherd for reporting this problem. As a reminder, if you find a security vulnerability in Kubernetes, please report it following the security disclosure process.
Thanks,
Jordan Liggitt
(on behalf of the Kubernetes Product Security Team)