A security issue was discovered in minikube versions v0.29.0 or older. The issue is Critical and upgrading to v0.30.0 of minikube is encouraged to fix this issue.
Am I vulnerable?
minikube version and if it says v0.29.0 or older you are running a vulnerable version.
How can I mitigate the issue?
Disable the dashboard on minikube:
kubectl --namespace kube-system delete deployment kubernetes-dashboard
How do I upgrade?
Follow the installation instructions at https://github.com/kubernetes/minikube/releases/tag/v0.30.0
With minikube v0.29.0 or older a malicious website could use DNS rebinding to gain access to gain administrative access to the Kubernetes Dashboard, and the Kubernetes API as a whole. This could lead to full root privileges on the minikube VM.
This issue is filed as CVE-2018-1002103. See the GitHub issue for more details.
Thank you to Alex Kaskasoli, Thomas Strömberg, and Dan Lorenc for the coordination is making this release.
Brandon on behalf of the Kubernetes Product Security Team