Security release of kubernetes-csi projects

Hello Kubernetes Community-

A security issue was discovered in the following versions of kubernetes-csi projects:

  • kubernetes-csi/external-attacher: v0.4.1 and older, v1.0.0 and older
  • kubernetes-csi/external-provisioner: v0.4.1 and older, v1.0.0 and older
  • kubernetes-csi/drivers (iscsi-only): v0.4.1 and older, v1.0.1 and older

The issue is Low severity and upgrading to the following versions is encouraged to fix this issue:

  • kubernetes-csi/external-attacher: v0.4.2, v1.0.1
  • kubernetes-csi/external-provisioner: v0.4.2, v1.0.1
  • kubernetes-csi/drivers: v0.4.2, v1.0.2

Also note that kubernetes-csi/external-snapshotter, driver-registrar, livenessprobe, and sample nfs and hostpath drivers are not impacted by this issue.

Am I vulnerable?

You are vulnerable if all of the following are true:

  • You have deployed a CSI driver in your cluster
  • The container image is listed above as impacted
  • The corresponding container log level is set to 5 or higher (this is not the default but was a suggestion in most docs)
  • Your CSI driver uses any of the following StorageClass parameters:
    • csiControllerPublishSecretName
    • csiProvisionerSecretName
    • csiNodeStageSecretName
    • csiNodePublishSecretName

How to I mitigate the vulnerability?

Update the affected containers’ log level to 4 or below by changing the container argument to --v=4

How do I upgrade?

Update the affected container images to released versions with the fix.

Vulnerability Details

When kubernetes-csi sidecars or example drivers are run with log level 5 or higher, it will log all CSI RPC requests and responses, including any secrets specified.

Please note that this announcement only pertains to the projects maintained by the kubernetes-csi organization. Individual CSI driver vendors should evaluate if they may have similar issues, especially when using the csiNodeStageSecretName and csiNodePublishSecretName StorageClass parameters.

Thank you to Michelle Au, Dong Liu, Patrick Ohly, Luis Pabón, and Jose Rivera for the coordination is making this release.

Thank You,

Michelle Au on behalf of Kubernetes SIG Storage