Kubernetes ya zama mafi shahararrun tsarin kwantena girgije. Don haka a zahiri lokaci ne kawai sai da aka gano babban kuskurensa na farko.
Kuma haka abin ya kasance, saboda kwanan nan Babbar matsalar tsaro ta farko a Kubernetes an sake ta a ƙarƙashin CVE-2018-1002105, wanda aka fi sani da damar haɓaka haɓaka gata.
Wannan babbar matsalar a Kubernetes matsala ce tunda yana da mahimmin rami na CVSS 9.8. A yayin faruwar babban matsalar Kubernetes na tsaro.
Bayanin kuskure
Tare da keɓaɓɓen cibiyar sadarwar buƙata, kowane mai amfani na iya ƙirƙirar haɗi ta hanyar daga sabar yanar gizo mai hada hadar aikace-aikace (API) Kubernetes zuwa sabar baya.
Da zarar an kafa, mai kai hari na iya aika buƙatun son zuciya kan haɗin hanyar sadarwar kai tsaye zuwa wancan bayan ɗin wanda a kowane lokaci maƙasudin shine sabar.
Waɗannan buƙatun ana ingantattu tare da takaddun TLS (Tsaro Layer Tsaro) daga sabar Kubernetes API.
Mafi mahimmanci har yanzu, a cikin daidaitaccen tsari, duk masu amfani (ingantattu ko a'a) na iya gudanar da kiran binciken API wanda ke ba da damar haɓaka wannan gatan ta maharin.
Don haka to, duk wanda ya san wannan ramin na iya amfani da damar ya karɓi ragamar ƙungiyar Kubernetes.
A halin yanzu babu wata hanya mai sauƙi don gano idan an yi amfani da wannan yanayin rauni a baya.
Kamar yadda ake yin buƙatun da ba a ba da izini ba a kan haɗin haɗin da aka kafa, ba su bayyana a cikin rajistar rajistar uwar garken Kubernetes API ko rajistar sabar.
Buƙatun sun bayyana a cikin jimillar uwar garken API ko rajistan ayyukan kubelet, amma an rarrabe su daga izini mai kyau da buƙatun wakili ta hanyar sabar Kubernetes API.
Zagi wannan sabon yanayin rauni a Kubernetes ba zai bar alamun da ke bayyane a cikin rajistan ayyukan ba, don haka yanzu da bugowar Kubernetes ta fallasa, lokaci ne kawai za a yi amfani da shi.
A takaice dai, Red Hat ya ce:
Kuskuren haɓaka gata ya ba kowane mai amfani mara izini damar samun cikakken gatan mai gudanarwa a kan kowane ƙididdigar lissafi da ke gudana a cikin akwatin Kubernetes.
Wannan ba kawai sata ba ce ko buɗewa don yin shigar da lambar ƙeta, zai iya kuma rage aikace-aikace da ayyukan samarwa a cikin katangar ƙungiyar.
Duk wani shiri, gami da Kubernetes, yana da rauni. Masu rarraba Kubernetes tuni suna sakin gyaran.
Red Hat ta ba da rahoton cewa dukkan samfuranta da ayyukanta na Kubernetes da suka haɗa da Platform Container na Red Hat, Red Hat OpenShift Online, da Red Hat OpenShift Dedicated suna da tasiri.
Red Hat ya fara ba da faci da sabunta sabis ga masu amfani da abin ya shafa.
Kamar yadda aka sani, ba wanda ya yi amfani da matsalar tsaro don kai hari har yanzu. Darren Shepard, babban mai tsara gine-gine kuma wanda ya kirkiro dakin binciken na Rancher, ya gano kwaron kuma ya ba da rahoton ta hanyar amfani da tsarin bayar da rahoton rashin lafiyar Kubernetes.
Yaya za a gyara wannan kuskuren?
An yi sa'a, an riga an sake gyaran wannan kwaro. A ciki kawai an nemi yin haɓaka Kubernetes don haka za su iya zaɓar wasu nau'ikan Kubernetes da aka facfa v1.10.11, v1.11.5, v1.12.3 da v1.13.0-RC.1.
Don haka idan har yanzu kuna amfani da kowane nau'ikan Kubernetes v1.0.x-1.9.x, ana ba da shawarar ku haɓaka zuwa tsayayyen sigar.
Idan da wani dalili ba za su iya sabunta Kubernetes ba kuma suna son dakatar da wannan gazawar, ya zama dole su aiwatar da wannan aikin.
Ya kamata ku daina amfani da abubuwan tattara abubuwan uwar garken API ko cire kwafin zartarwa / haɗa / izini don masu amfani waɗanda bai kamata su sami cikakkiyar dama ga API ɗin kubelet ba.
Jordan Liggitt, injiniyan injiniyar Google da ya gyara kwaron, ya ce da alama wadannan matakan za su iya yin illa.
Don haka kawai ainihin mafita game da wannan lahani na tsaro shine aiwatar da sabunta Kubernetes daidai.