How to patch the recent Kubernetes vulnerability (CVE-2018-1002105) in Nutanix Karbon


Userlevel 2
Badge
Note: Nutanix Karbon is on Technical Preview so it should not be used on production. The steps on this guide may impact the existing running containers.

This post covers how to patch the recent Kubernetes vulnerability (https://github.com/kubernetes/kubernetes/issues/71411). The version used as an example in this post is Kubernetes version 1.10.3, this is the only version tested but it should work on the same way for any of the other Kubernetes versions available in Karbon.

Note: the SSH password is the known standard for Nutanix CVM

1. Gather the IP address for your Kubernetes nodes:
code:
kubectl get nodes -o yaml | grep address 

Output:
code:
   addresses: 
- address: 10.10.56.174
- address: security-e8316c-k8s-master-0
addresses:
- address: 10.10.56.150
- address: security-e8316c-k8s-worker-0

2. Connect to the master node and run the commands (change the IP address with yours):
code:
ssh root@10.10.56.174 


code:
sed -i 's/hyperkube:v1.10.3/hyperkube:v1.10.11/g' /etc/kubernetes/manifests/kube-apiserver.yaml /etc/systemd/system/kubelet-master.service 


code:
systemctl daemon-reload && systemctl restart kubelet-master 

3. Check Kubernetes master has been upgraded as well as the kubectl client.
code:
kubectl version 

Output:
code:
	Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.11",  
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.11",

4. Connect to the worker(s) and run the command (change the IP address with yours):
code:
ssh root@10.10.56.150 


code:
sed -i 's/hyperkube:v1.10.3/hyperkube:v1.10.11/g' /etc/systemd/system/kubelet-worker.service 


code:
systemctl daemon-reload && systemctl restart kubelet-worker 

5. Check all the nodes have been patched (version must be 1.10.11 now)
code:
kubectl get nodes 

Output:
code:
NAME                          STATUS   ROLES    AGE      VERSION 
security-e8316c-k8s-master-0 Ready master 42m v1.10.11
security-e8316c-k8s-worker-0 Ready node 39m v1.10.11


If you face any issue please do not hesitate to post your comments below.

0 replies

Be the first to reply!

Reply