How Symlinks Pwned Kubernetes (And How We Fixed It)
Ever wonder how Kubernetes deals with security vulnerabilities? This talk illustrates the process by walking through the discovery, patching, and disclosure of CVE-2017-1002101. In Nov 2017, we recei …
| Talk Title | How Symlinks Pwned Kubernetes (And How We Fixed It) |
| Speakers | Michelle Au (Software Engineer, Google), Jan Šafránek (Principal Software Engineer, Red Hat) |
| Conference | KubeCon + CloudNativeCon North America |
| Conf Tag | |
| Location | Seattle, WA, USA |
| Date | Dec 9-14, 2018 |
| URL | Talk Page |
| Slides | Talk Slides |
| Video | |
Ever wonder how Kubernetes deals with security vulnerabilities? This talk illustrates the process by walking through the discovery, patching, and disclosure of CVE-2017-1002101. In Nov 2017, we received a report about how misusing the volume subpath feature could result in access to host files. A team was assembled to investigate the vulnerability, develop a patch, and release it to all supported versions of Kubernetes – ALL in secret. As we walk through the story from discovery to disclosure, we will also deep dive into the technical details of how this feature allowed a container to escape to the host filesystem, and how it was fixed. You will walk away with techniques for secure file handling in multi-tenant environments, best practices for restricting volume access in your Kubernetes clusters, and an understanding of how a large open source project manages security issues.
