IiKubernetes ziyeyona nkqubo idumileyo yamafu. Ke ngokwenene yayingumcimbi nje wexesha de kwafunyanwa isiphoso sakhe sokuqala sokhuseleko.
Kwaye ke, kuba kutsha nje Isiphene sokuqala sokhuseleko eKubernetes sikhutshwe phantsi kweCVE-2018-1002105, ikwabizwa ngokuba lilungelo lokunyuka okwenyukayo.
Esi siphoso esikhulu eKubernetes yingxaki njengoko ibaluleke kakhulu kumngxunya wokhuseleko weCVSS 9.8. Kwimeko yesiphene sokuqala sokhuseleko esikhulu seKubernetes.
Iinkcukacha zempazamo
Ngenethiwekhi yesicelo eyilelwe ngokukodwa, nawuphi na umsebenzisi unokuseka unxibelelwano nge ukusuka kwisicelo senkqubo yomncedisi wenkqubo (API) Kubernetes kwiserver backend.
Nje ukuba kusekwe, umhlaseli angathumela izicelo ezingenangqondo kunxibelelwano lwenethiwekhi ngqo kuloo mva ungasemva Ngamaxesha onke injongo kukuba iserver.
Ezi zicelo zingqinisisiwe kunye neenkcukacha ze-TLS (Ukhuseleko loLuhlu lwezoThutho) kwiseva ye-Kubernetes API.
Okubi nangakumbi, kuqwalaselo olungagqibekanga, bonke abasebenzisi (abangqinisisiweyo okanye hayi) banokuqhuba iifowuni zokufumanisa ze-API ezivumela eli lungelo kunyuka komhlaseli.
Ngayo ke, nabani na owaziyo loo mngxunya angathatha ithuba lokuyalela iqela labo leKubernetes.
Okwangoku akukho ndlela ilula yokufumanisa ukuba obu bungozi busetyenziswa ngaphambili.
Njengokuba izicelo ezingagunyaziswanga zenziwe kunxibelelwano olusekiweyo, aziveli kwiLogernetes API zophicotho zincwadi okanye kwilog yeseva.
Izicelo zivela kumncedisi we-API okanye i-log ye-kubelet, kodwa zahlulahlulwe kwizicelo ezigunyaziswe ngokufanelekileyo kunye ne-proxy kwiseva ye-Kubernetes API.
Ukuphathwa gadalala Obu bungozi butsha eKubernetes ngekhe ishiye umkhondo ocacileyo kwiigodo, ke ngoku ukubonwa kwe-Kubernetes bug, yinto nje yexesha ide isetyenziswe.
Ngamanye amagama, iRed Hat yathi:
Isiphene sokunyuka kwamalungelo sivumela nawuphina umsebenzisi ongagunyaziswanga ukuba afumane amalungelo okuphatha apheleleyo kuyo nayiphi na ikhowudi yeekhompyuter esebenza kwi-Kubernetes pod.
Oku ayisiyiyo nje ubusela okanye ukuvulwa kokufaka ikhowudi enobungozi, inokunciphisa usetyenziso kunye neenkonzo zokuvelisa ngaphakathi komlilo.
Nayiphi na inkqubo, kubandakanya iKubernetes, isemngciphekweni. Abasasazi beKubernetes sele bekhupha izilungiso.
I-Red Hat inika ingxelo yokuba zonke iimveliso ezisekwe kubernetes kunye neenkonzo kubandakanya iRed Hat OpenShift Container Platform, iRed Hat OpenShift Online, kunye neRed Hat OpenShift ezinikezelweyo zichaphazelekile.
I-Red Hat yaqala ukubonelela ngeziqwengana kunye nohlaziyo lwenkonzo kubasebenzisi abachaphazelekayo.
Ngokwazi, akukho mntu wasebenzisa ulwaphulo-mthetho ukuhlasela okwangoku. UDarren Shepard, umyili oyintloko kunye nomseki-mbumbulu welabhoratri yeRancher, wafumanisa le bug kwaye wayixela esebenzisa inkqubo yokubika ngobungozi baseKubernetes.
Indlela yokulungisa le mpazamo?
Ngethamsanqa, ukulungiswa kwale bug sele kukhutshiwe.. Kuphi kuphela Bayacelwa ukuba benze uhlaziyo lweKubernetes ke banokukhetha ezinye zeenguqulelo zeKubernetes ezimagqabini v1.10.11, v1.11.5, v1.12.3, kunye v1.13.0-RC.1.
Ke ukuba usasebenzisa nayiphi na iinguqulelo zeKubernetes v1.0.x-1.9.x, kuyacetyiswa ukuba unyuse uguqulelo olumiselweyo.
Ukuba ngasizathu sithile abanako ukuhlaziya iiKubernetes kwaye bafuna ukuyeka ukusilela, kuyimfuneko ukuba benze le nkqubo ilandelayo.
Kuya kufuneka uyeke ukusebenzisa iserver aggregates API okanye ususe i-pod exec / attach / portforward mvume kubasebenzisi ekungafuneki babe nokufikelela okupheleleyo kwi-kubelet API.
UJordani Liggitt, injineli yesoftware kaGoogle eyalungisa ibug, wathi loo manyathelo angabonakalisa ingozi.
Ke esona sisombululo sokwenyani nxamnye nale mpazamo yezokhuseleko kukwenza uhlaziyo oluhambelanayo lweKubernetes.