Security information

  • Updated the following middleware component versions to resolve vulnerabilities in MKE:

    • [MKE-10159] NGINX Ingress Controller 1.8.2

    • [FIELD-6356] AlertManager 0.26.0

    • [MKE-10050] CoreDNS 1.11.0

  • Mirantis has begun an initiative to align MKE with CIS Benchmarks, where pertinent. The following table details the CIS Benchmark resolutions and improvements that are introduced in MKE 3.6.7:

    CIS Benchmark type/version

    Recommendation designation

    Ticket

    Resolution/Improvement

    Docker 1.6

    4.9

    MKE-9960

    The MKE Dockerfiles were improved and are now exempt from ADD instructions, with only COPY in use.

    Kubernetes 1.7

    1.1.17

    MKE-9906

    The permission for /ucp-volume-mounts/ucp-node-certs/controller-manager.conf is now set to 600.

    Kubernetes 1.7

    1.2.9

    MKE-10149

    Support for the EventRateLimit admission controller has been added to MKE. By default, the admission controller remains disabled, however it can be enabled with a TOML configuration, as exemplified below:

    [cluster_config.k8s_event_rate_limit]
    event_rate_limit_ac_enabled = true

    [[cluster_config.k8s_event_rate_limit.limits]]
      limit = "Namespace"
      limit_qps = 1
      limit_burst = 1
      limit_cache_size = 16

    [[cluster_config.k8s_event_rate_limit.limits]]
      limit = "User"
      limit_qps = 1
      limit_burst = 1
      limit_cache_size = 16

    MKE will not validate the individual values for individual limits specified, except to employ a default value of 4096 for limit_cache_size when a value is provided.

    Refer to the Kubernetes documentation Admission Controllers Reference: EventRateLimit. Note that limit types are adherred to strictly, including case match.

    Important

    Ensure that you validate your configuration on a test cluster before applying it in production, as a misconfigured admission controller can make kube-apiserver unavailable for the cluster.

    Kubernetes 1.7

    1.3.7

    MKE-9904

    The --bind-address argument is set to 127.0.0.1 in ucp-kube-controllermanager.

    Kubernetes 1.7

    4.1.8

    MKE-10011, MKE-9917

    The kubelet Client Certficate Authority file ownership is now root:root, changed from its previous nobody:nogroup setting.

    Kubernetes 1.7

    4.2.5

    MKE-9913

    The kubelet streamingConnectIdleTimeout argument is set explicitly to 4h.

    Kubernetes 1.7

    4.2.6

    MKE-9914

    The kubelet make-iptables-util-chains argument is set explicitly to true.

    Kubernetes 1.7

    4.2.8

    MKE-10006

    The kubelet_event_record_qps parameter can now be configured in the MKE configuration file, as exemplified below:

    [cluster_config]
    kubelet_event_record_qps = 50

    Kubernetes 1.7

    5.1.5

    MKE-10005

    The MKE install process now sets default service accounts in control plane namespaces to specifically not automount service account tokens.

    Kubernetes 1.7

    5.1.6

    MKE-9921

    The use of service account tokens is restricted, allowing for mounting only where necessary in MKE system namespaces.

    Kubernetes 1.7

    5.2.2

    MKE-9923

    Work was done to minimize the admission of privileged containers.

    Kubernetes 1.7

    5.2.8

    MKE-9924

    NET_RAW capability has been removed from all unprivileged system containers.