Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update kube-dns to 1.14.5 for CVE-2017-14491 #3511

Merged

Conversation

mikesplain
Copy link
Contributor

@mikesplain mikesplain commented Oct 2, 2017

As described: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

Not sure if it'd be possible to cut a new 1.7 release with this or something to give people a quick fix.

Current work around would be to manually update the addons in s3. For those who may reference this, simply upgrading to 1.7.7 will not fix this in kops.

Edit

~ @chrislovecnm

Please see #3512 for more information on how to address these concerns with current kops releases. We are still in the process of testing this release of kube-dns, which is a very critical component of kubernetes.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 2, 2017
@k8s-ci-robot
Copy link
Contributor

Hi @mikesplain. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 2, 2017
@mikesplain
Copy link
Contributor Author

/assign @justinsb

@chrislovecnm
Copy link
Contributor

/ok-to-test
/lgtm

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 2, 2017
@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 2, 2017
@chrislovecnm
Copy link
Contributor

We can also provide information on how to patch the file in s3 as a work around.

@mikesplain
Copy link
Contributor Author

mikesplain commented Oct 2, 2017

Great thanks @chrislovecnm

@chrislovecnm
Copy link
Contributor

/lgtm cancel

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 2, 2017
@k8s-github-robot k8s-github-robot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 2, 2017
@chrislovecnm
Copy link
Contributor

I missed telling you that we need https://github.com/kubernetes/kops/blob/master/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go#L119 updated for channels to bump the version.

@mikesplain
Copy link
Contributor Author

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 2, 2017
@chrislovecnm
Copy link
Contributor

@mikesplain how have you tested these changes on AWS?

@mikesplain
Copy link
Contributor Author

@chrislovecnm Not yet was about to spin up a cluster with it.

@chrislovecnm
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 2, 2017
@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 2, 2017
@chrislovecnm
Copy link
Contributor

/lgtm cancel

I really need caffiene

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 2, 2017
@k8s-github-robot k8s-github-robot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 2, 2017
@mikesplain mikesplain force-pushed the update_kube_dns_to_1.14.5 branch from 730c028 to fbb583d Compare October 2, 2017 15:57
@mikesplain
Copy link
Contributor Author

Squashed

@justinsb
Copy link
Member

justinsb commented Oct 2, 2017

BTW the "hotfix" command for an existing cluster is:

kubectl set image deployment/kube-dns -n kube-system kubedns=gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5 dnsmasq=gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5

Edit from @chrislovecnm ... we are missing a command. See comment below

@chrislovecnm
Copy link
Contributor

chrislovecnm commented Oct 2, 2017

@mikesplain we also have

      - name: sidecar
        image: gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.4

Need to bump that as well

@mikesplain mikesplain force-pushed the update_kube_dns_to_1.14.5 branch from fbb583d to db995fc Compare October 2, 2017 16:14
@mikesplain
Copy link
Contributor Author

@chrislovecnm Ahh sorry about that, wasn't sure if that was different. Pushed and resquashed.

@chrislovecnm
Copy link
Contributor

chrislovecnm commented Oct 2, 2017

Here is the command to update all images including sidecar:

$ kubectl set image deployment/kube-dns -n kube-system kubedns=gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5 dnsmasq=gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5 sidecar=gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5

@chrislovecnm
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 2, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chrislovecnm

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 2, 2017
@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue.

@k8s-github-robot k8s-github-robot merged commit 6ea6e3a into kubernetes:master Oct 2, 2017
k8s-github-robot pushed a commit that referenced this pull request Oct 9, 2017
Automatic merge from submit-queue.

Cherry Pick of 3511: Update kube-dns to 1.14.5 for CVE-2017-14491

Backport of #3511, #3513, #3538 to 1.7.

Testing:

- [x] 1.7.2
- [x] 1.6.6
- [x] 1.5.7
- [x] 1.4.12
@mikesplain mikesplain deleted the update_kube_dns_to_1.14.5 branch October 9, 2017 18:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. blocks-next cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants