Security release of minikube v0.30.0 - CVE-2018-1002103


#1

A security issue was discovered in minikube versions v0.29.0 or older. The issue is Critical and upgrading to v0.30.0 of minikube is encouraged to fix this issue.

(copied from kubernetes-security-announce thread)

Am I vulnerable?

Run minikube version and if it says v0.29.0 or older you are running a vulnerable version.

How can I mitigate the issue?

Disable the dashboard on minikube:

kubectl --namespace kube-system delete deployment kubernetes-dashboard

How do I upgrade?

Follow the installation instructions at https://github.com/kubernetes/minikube/releases/tag/v0.30.0

Vulnerability Details

With minikube v0.29.0 or older a malicious website could use DNS rebinding to gain access to gain administrative access to the Kubernetes Dashboard, and the Kubernetes API as a whole. This could lead to full root privileges on the minikube VM.

This issue is filed as CVE-2018-1002103. See the GitHub issue for more details.

Thank you

Thank you to Alex Kaskasoli, Thomas Strömberg, and Dan Lorenc for the coordination is making this release.

Thank You,

Brandon on behalf of the Kubernetes Product Security Team


#2