A note on CVE-2019-11247

Two weeks ago a patch for Kubernetes vulnerability CVE-2019-11247 was released for K8s 1.13, 1.14 and 1.15. Unfortunately as of writing clusters using older K8s versions (like our kops-based 1.11 clusters) are still vulnerable.

In short this vulnerability allow users acces to cluster-wide CRDs as if they were namespaced. This means when you grant access in your namespaced Roles on resources: [*], apiGroups: [*], users with these Roles can also access CRDs! Please make sure to always follow the best practice of explicitely granting the least amount of privileges. See the CVE-2019-11247 issue and RBAC documentation for more details.

We’ve checked all clusters we manage, and currently no such Roles are defined. Furthermore we’ve updated our documentation to raise awareness of the vulnerability.

We’ll keep following up on this vulnerability and update if/when patches get released (for our kops-based clusters).

Our EKS-based clusters have been automaticallly patched by AWS and are thus not vulnerable.