-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update kube-dns to 1.14.5 for CVE-2017-14491 #3511
Update kube-dns to 1.14.5 for CVE-2017-14491 #3511
Conversation
Hi @mikesplain. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/assign @justinsb |
/ok-to-test |
We can also provide information on how to patch the file in s3 as a work around. |
Great thanks @chrislovecnm |
/lgtm cancel |
I missed telling you that we need https://github.com/kubernetes/kops/blob/master/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go#L119 updated for channels to bump the version. |
Oh yeah good call, these too @chrislovecnm ?https://github.com/kubernetes/kops/blob/master/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/kopeio-vxlan/manifest.yaml
|
@mikesplain how have you tested these changes on AWS? |
@chrislovecnm Not yet was about to spin up a cluster with it. |
/lgtm |
/lgtm cancel I really need caffiene |
730c028
to
fbb583d
Compare
Squashed |
BTW the "hotfix" command for an existing cluster is:
Edit from @chrislovecnm ... we are missing a command. See comment below |
@mikesplain we also have - name: sidecar
image: gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.4 Need to bump that as well |
fbb583d
to
db995fc
Compare
@chrislovecnm Ahh sorry about that, wasn't sure if that was different. Pushed and resquashed. |
Here is the command to update all images including sidecar: $ kubectl set image deployment/kube-dns -n kube-system kubedns=gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5 dnsmasq=gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5 sidecar=gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5 |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chrislovecnm The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. |
Automatic merge from submit-queue. Cherry Pick of 3511: Update kube-dns to 1.14.5 for CVE-2017-14491 Backport of #3511, #3513, #3538 to 1.7. Testing: - [x] 1.7.2 - [x] 1.6.6 - [x] 1.5.7 - [x] 1.4.12
As described: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
Not sure if it'd be possible to cut a new 1.7 release with this or something to give people a quick fix.
Current work around would be to manually update the addons in s3. For those who may reference this, simply upgrading to 1.7.7 will not fix this in kops.
Edit
~ @chrislovecnm
Please see #3512 for more information on how to address these concerns with current kops releases. We are still in the process of testing this release of kube-dns, which is a very critical component of kubernetes.