A new bug has been discovered in Kubernetes that could allow Windows workloads to run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true.
The bug tracked as CVE-2021-25749, that enabled Windows workloads to run as Kubernetes Container Administrator in their containers even when the runAsNonRoot option is set to true.
This can be spotted if someone is trying to exploit this by checking your Kubernetes Audit logs for misspelled user names. These might be proof of someone trying to bypass the user pod restriction.
With a CVSS score of 3.8. Still, Red Hat’s security team notes that both its attack complexity and the privileges required to pull off an attack with it are high.
There is no way to mitigate it. It affects the following Kubelet versions.
- kubelet v1.20 – v1.21
- kubelet v1.22.0 – v1.22.13
- kubelet v1.23.0 – v1.23.10
- kubelet v1.24.0 – v1.24.4
Just upgrade to the next version. These are:
- kubelet v1.22.14
- kubelet v1.23.11
- kubelet v1.23.5
- kubelet v1.25.0