Kops: Kops patch including new Docker version for CVE-2019-5736

Is it safe to use a version of docker that has not been verified on Kubernetes 1.10 / 1.11 ? This is a big risk that was left unanswered in the PR.

From @captainkerk in https://github.com/kubernetes/kops/pull/6460#issuecomment-463730763 ...

Honestly, I think using rancher's patched docker-runc is the best way to patch for this CVE, at least until kops supports kubernetes v1.12. The solution proposed in this PR is to use a version of docker that hasnt been verified with any version of kubernetes that kops supports. v1.12 is the first version to support docker 18.06.

It would be nice if kops could just use rancher's patched version of docker-runc (or maybe build your own) without us having to use a hook. To me, that seems like an interesting patch vector that should be considered?

We definitely need to cherry-pick something for 1.11 at least. Our options seem to be to install an updated runc or to use a newer version of docker. Neither is formally tested with k8s 1.11, the patched runc is probably harder but safer.

Not sure if anyone knows of a third way...

Just share my hooks based on https://github.com/kubernetes/kops/issues/6459#issuecomment-463558952 with sha256sum check. Use it on cluster.yml or kops edit cluster under spec

  hooks:
  #temp fix for CVE-2019-5736 until kops add support for it
  #ref: https://github.com/rancher/runc-cve
  #we run busybox at the last step as sanity test
  - name: patch-runc
    roles:
    - Node
    - Master
    before:
    - docker.service
    manifest: |
      Type=oneshot
      ExecStart=/bin/bash -c 'mv /usr/bin/docker-runc /usr/bin/docker-runc.orig && wget -P /tmp  https://github.com/rancher/runc-cve/releases/download/CVE-2019-5736-build3/runc-v17.03.2-amd64 && echo "25d2965a74d33e7bc7e16f6b6fef6a8c93a115d0c1027bdb792b2a57c03f2a74  /tmp/runc-v17.03.2-amd64" | sha256sum -c && chmod +x /tmp/runc-v17.03.2-amd64 && mv /tmp/runc-v17.03.2-amd64 /usr/bin/docker-runc'

Since its more then a week since the vulnerability is made public, when can we expect a patch release for 1.11??

We are also waiting for the patch to be released please let us know soon

Yes it's been more than 2 weeks and still no patch. This is quite worrying to see kops trailing behind 😕on the Kubernetes blog Kops Debian is the only image in progress.

i see a patch is available. thnx guys

Here's a link to the release
https://github.com/kubernetes/kops/releases/tag/1.11.1

There's no patch for 1.10 as far as I can tell

Big thank you to everyone who worked on this :)

Thank you all for the contributions to this patch!

For anyone who went down the route of using Rancher's patched runc binary via hook be aware that Kops 1.11.1 sets the immutable attribute on the docker-runc file. Be aware that your hook might not work with kops 1.11.1 depending on how you handle writing the file.

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@fejta-bot: Closing this issue.