VMware Integrated OpenStack with Kubernetes 5.1 is potentially affected by CVE-2018-1002105, a critical security vulnerability in Kubernetes. You must install Security Patch 1 to remediate this vulnerability.
For more information about the vulnerability, see
https://github.com/kubernetes/kubernetes/issues/71411. For information about the VMware response to the vulnerability, see the
VMware Security & Compliance Blog.
Prerequisites
- Install VMware Integrated OpenStack with Kubernetes 5.1 or upgrade your VMware Integrated OpenStack with Kubernetes deployment to version 5.1.
- Download VMware Integrated OpenStack with Kubernetes 5.1 Security Patch 1 from the VMware Integrated OpenStack download page.
Procedure
- Transfer the VMware Integrated OpenStack with Kubernetes 5.1 Security Patch 1 file to the VMware Integrated OpenStack with Kubernetes appliance.
- Log in to the VMware Integrated OpenStack with Kubernetes appliance as the
root user.
- Decompress and install the patch.
tar -xzf viok-5.1-hp1.tar.gz
cd viok-5.1-hp1
./install.sh
- If you have already deployed Kubernetes clusters, perform the following steps to patch them:
- Update each cluster in your deployment.
vkube cluster update cluster-id
Run the preceding command once for each cluster. You can use the vkube cluster list command to find the ID of all clusters in your deployment.
- Log in to each node in each cluster, restart the kubelet service, and re-create all static pods.
vkube ssh node-name --cluster-id cluster-id
sudo systemctl restart kubelet.service
mkdir backup
sudo mv /etc/kubernetes/manifests/*.manifest ./backup
sudo cp ./backup/* /etc/kubernetes/manifests/
exit
Run the preceding commands once for each node. You can use the vkube cluster show command with a cluster ID to find the name of each node in the cluster.
