Hello Kubernetes Community-
A security issue was discovered in the following versions of kubernetes-csi projects:
- kubernetes-csi/external-attacher: v0.4.1 and older, v1.0.0 and older
- kubernetes-csi/external-provisioner: v0.4.1 and older, v1.0.0 and older
- kubernetes-csi/drivers (iscsi-only): v0.4.1 and older, v1.0.1 and older
The issue is Low severity and upgrading to the following versions is encouraged to fix this issue:
- kubernetes-csi/external-attacher: v0.4.2, v1.0.1
- kubernetes-csi/external-provisioner: v0.4.2, v1.0.1
- kubernetes-csi/drivers: v0.4.2, v1.0.2
Also note that kubernetes-csi/external-snapshotter, driver-registrar, livenessprobe, and sample nfs and hostpath drivers are not impacted by this issue.
Am I vulnerable?
You are vulnerable if all of the following are true:
- You have deployed a CSI driver in your cluster
- The container image is listed above as impacted
- The corresponding container log level is set to 5 or higher (this is not the default but was a suggestion in most docs)
- Your CSI driver uses any of the following StorageClass parameters:
How to I mitigate the vulnerability?
Update the affected containers’ log level to 4 or below by changing the container argument to
How do I upgrade?
Update the affected container images to released versions with the fix.
When kubernetes-csi sidecars or example drivers are run with log level 5 or higher, it will log all CSI RPC requests and responses, including any secrets specified.
Please note that this announcement only pertains to the projects maintained by the kubernetes-csi organization. Individual CSI driver vendors should evaluate if they may have similar issues, especially when using the
csiNodePublishSecretName StorageClass parameters.
Michelle Au on behalf of Kubernetes SIG Storage