AKS clusters patched for Kubernetes vulnerability
Updated: December 05, 2018
Today, the Kubernetes community announced a serious security vulnerability that affects some recent Kubernetes releases available in Azure Kubernetes Service (AKS).
The vulnerability allows unauthenticated external users to access the metrics data provided by the Kubernetes metrics server API by passing in a specially crafted payload. It affects all patch releases of Kubernetes 1.10 to 1.10.10 and all patch releases of 1.11 to 1.11.5. Earlier minor releases in AKS are not affected because they don't include the metrics server.
In preparation for this announcement, Azure Kubernetes Service has patched all affected clusters by overriding the default Kubernetes configuration to remove unauthenticated access to the entrypoints that exposed the vulnerability. The entrypoints were everything under https://myapiserver/apis/. If you were relying on this unauthenticated access to these endpoints from outside the cluster, you will need to switch to an authenticated path.
If you want to upgrade to a Kubernetes release that contains the underlying fix, we have now made version 1.11.5 available. Upgrading is as simple as:
az aks upgrade -n mycluster -g myresourcegroup -k 1.11.5