A critical Kubernetes vulnerability, CVE-2018-1002105, was announced on Monday, December 3. This impacts all previously released versions of Kubernetes. Domino uses Kubernetes in parts of our infrastructure, so we have investigated the potential security risk due to this bug.
In short, Domino is not impacted by this CVE because the attack vectors are not exploitable through Domino, as described below.
This CVE identifies two vectors for privilege escalation, one through the aggregation API and the other through RBAC users that have pod exec/attach/portforward permissions.
See the Kubernetes Github issue for full details; specifically, refer to the “Affected Configurations” section that describes the following two scenarios of exposure:
“Clusters that run aggregated API servers (like the metrics server) that are directly accessible from the Kubernetes API server’s network.”
No Domino Kubernetes clusters run aggregated API servers, so there are no endpoints to exploit.
“Clusters that grant pod exec/attach/portforward permissions to users that are not expected to have full access to kubelet APIs”
Domino Kubernetes clusters do not have any such users. Therefore, this is not a vector for privilege escalation.