K8s Privilege Escalation Flaw: Need For Service Automation | D2iQ

Dec 08, 2018

Andrew Hatfield


4 min read

D2iQ has chosen to sunset DC/OS, with an end-of-life date of October 31, 2021. With D2iQ Kubernetes Platform (DKP), our customers get the same benefits provided by DC/OS and more, as well as access to the most impressive pace of innovation the technology world has ever seen.

Learn more about D2iQ Kubernetes Platform here.

A serious privilege escalation flaw was recently discovered in the Kubernetes container orchestrator.  The security vulnerability allowed an attacker to take control of a Kubernetes cluster in ways that were extremely difficult to detect.

In this case, the attacker was able to exploit an existing authenticated connection that remained open when it should have been closed.  This allowed the attacker to access the Kubernetes cluster without requiring to authenticate themselves, and because the connection was already authorized, detection was challenging.

All prior versions of Kubernetes are vulnerable.  Fixes have been released for v1.10.11, v1.11.5 and v1.12.3.  Anyone running a version prior to each of those releases remain vulnerable.

Mesosphere tested and shipped an update to our Kubernetes customers within 24 hours of the upstream patch release.  Through a simple click-button exercise, customers can upgrade with a public cloud-like experience.

The explosion of Kubernetes, and Open Source software adoption in general, has democratized and accelerated innovation like never before.

Organizations today rely on a vast and growing array of technologies, often from multiple vendors and communities.  While development processes may be similar, their approach to handling integration, user and system interaction, and security are not.

Accelerating innovation with Open Source projects requires a new way to manage risk

Many of the world-changing new services and customer experiences we enjoy today are powered by fast-moving open source projects.  But while leveraging open source software accelerates innovation, it also shifts the risk to the organization.  As highly respected community manager John Mark Walker writes, Your Open Source Project Is Not A Product

Organizations are shifting from buying & integrating a smaller number of commercial products to also leveraging a larger number of fast-moving Open Source projects.  Larry Tesler argued in the Law of Conservation of Complexity that "every application has an inherent amount of complexity that cannot be hidden or removed.  Instead it must be dealt with, either in product development or in user interaction."

Ideally, organizations should be able to automate operations of projects (or even commercial software) into services.  Service automation encompasses the full lifecycle and interactions of software for its users - it is not simply managing configuration files and versions, or programmatic infrastructure provisioning. 

Being able to easily select, deploy, operate, upgrade and retire software, understand its health status and ensure idempotency is what defines service automation.

Service automation is core to Mesosphere's approach.  Mesosphere Kubernetes Engine (MKE), enabled by DC/OS (distributed cloud operating system), delivers full service automation without the need for additional tools. But our service automation capabilities go far beyond Kubernetes, to include Fast Data Services and Data Science Services on datacenter, public cloud and edge infrastructures.

Service automation is central to how Mesosphere is working to deliver on our Mission, to "Make it insanely easy to build and scale world-changing technology." It is also what enables technology leaders like Wesley Mukai, GE Transportation's Digital Solutions CTO, to rapidly roll-out and operate portable environments that support containerized and Java EE applications.

To learn more about Mesosphere Kubernetes Engine and Service Automation talk to us today.

Ready to get started?