AmaKubernetes aba uhlelo oludume kakhulu lweziqukathi zamafu. Ngakho-ke empeleni bekuyindaba nje yesikhathi kuze kutholakale iphutha lakhe lokuqala elikhulu kwezokuphepha.
Futhi-ke kwaba njalo, ngoba muva nje Iphutha lokuqala elikhulu lokuphepha eKubernetes likhishwe ngaphansi kweCVE-2018-1002105, eyaziwa nangokuthi ukwehluleka kwelungelo lokukhuphuka.
Leli phutha elikhulu eKubernetes liyinkinga njengoba kungumgodi obucayi we-CVSS 9.8. Esimweni lapho kuqala khona iphutha elikhulu lezokuphepha eKubernetes.
Imininingwane yephutha
Ngenethiwekhi yesicelo eklanywe ngokukhethekile, noma imuphi umsebenzisi angakha ukuxhumana ngokusebenzisa kusuka kuseva yohlelo lokusebenza lwe-interface interface (I-API) Kubernetes kuseva ebuyela emuva.
Uma isunguliwe, umhlaseli angathumela izicelo zokuphikisana noxhumano lwenethiwekhi ngqo kulowo mbuyiselo lapho ngaso sonke isikhathi inhloso yileso seva.
Lezi zicelo ziqinisekisiwe ngemininingwane ye-TLS (Security Layer Security) kusuka kuseva ye-Kubernetes API.
Okubi kakhulu, ekucushweni okuzenzakalelayo, bonke abasebenzisi (abagunyaziwe noma cha) bangaqalisa izingcingo zokutholwa kwe-API ezivumela leli lungelo lokukhuphuka ngumhlaseli.
Ngakho-ke, noma ngubani owaziyo lowo mgodi angathatha ithuba lokulawula iqoqo labo leKubernetes.
Okwamanje ayikho indlela elula yokuthola ukuthi lokhu kuba sengozini kwakusetshenziswa phambilini.
Njengoba izicelo ezingagunyaziwe zenziwa ngoxhumano olusunguliwe, aziveli kumalogi wokucwaninga ngeseva ye-Kubernetes API noma kulogi yeseva.
Izicelo zivela kumalogi we-kubelet noma iseva ye-API ehlanganisiwe, kepha bahlukaniswe nezicelo ezigunyazwe kahle nezommeleli ngeseva ye-Kubernetes API.
Ukuhlukumeza lokhu kuba sengozini okusha eKubernetes ngeke ishiye iminonjana esobala ezingodweni, ngakho-ke manje lapho ivezwa imbungulu yeKubernetes, kuyindaba yesikhathi nje ize isetshenziswe.
Ngamanye amagama, uRed Hat uthe:
Iphutha lokukhuphuka kwelungelo livumela noma imuphi umsebenzisi ongagunyaziwe ukuthi athole amalungelo aphelele okulawula kunoma iyiphi i-node yekhompyutha esebenza ku-Kubernetes pod.
Lokhu akukhona ukweba noma ukuvula nje ukufaka ikhodi enonya, futhi kunganciphisa nezinsizakalo zokukhiqiza nezokukhiqiza ngaphakathi kwe-firewall yenhlangano.
Noma yiluphi uhlelo, kufaka phakathi iKubernetes, lusengozini. Abasabalalisi beKubernetes sebevele bakhipha ukulungisa.
I-Red Hat ibika yonke imikhiqizo nezinsizakalo zayo eziseKubernetes okubandakanya iRed Hat OpenShift Container Platform, iRed Hat OpenShift Online, neRed Hat OpenShift Dedicated iyathinteka.
I-Red Hat yaqala ukuhlinzeka ngamachashazi nezibuyekezo zensiza kubasebenzisi abathintekile.
Ngokwazi, akekho noyedwa osebenzise ukuphulwa kwezokuphepha ukuhlasela okwamanje. UDarren Shepard, umklami omkhulu futhi ongumsunguli we-Rancher laboratory, uthole le bug wayibika esebenzisa inqubo yokubika ngobungozi beKubernetes.
Ungalungisa kanjani leli phutha?
Ngenhlanhla, ukulungiswa kwalesi bug sekukhishiwe.. Lapho kuphela bacelwa ukuthi benze isibuyekezo seKubernetes ngakho-ke bangakhetha ezinye zezinguqulo ezihlanganisiwe zeKubernetes v1.10.11, v1.11.5, v1.12.3, ne-v1.13.0-RC.1.
Ngakho-ke uma usasebenzisa noma yiziphi izinguqulo zeKubernetes v1.0.x-1.9.x, kunconywa ukuthi uthuthukele kunguqulo ehleliwe.
Uma ngasizathu simbe abakwazi ukubuyekeza ama-Kubernetes futhi bafuna ukumisa lokhu kwehluleka, kuyadingeka ukuthi benze inqubo elandelayo.
Kufanele uyeke ukusebenzisa iseva ehlanganisa i-API noma ususe izimvume ze-pod exec / attach / portforward zabasebenzisi okungafanele babe nokufinyelela okugcwele ku-kubelet API.
UJordan Liggitt, unjiniyela wesoftware yakwaGoogle olungise le bug, uthe lezo zinyathelo zingaba yingozi.
Ngakho-ke okuwukuphela kwesixazululo sangempela esiphikisana naleli phutha lokuphepha ukwenza isibuyekezo esihambelanayo seKubernetes.