VMware Integrated OpenStack with Kubernetes 5.1 is potentially affected by CVE-2018-1002105, a critical security vulnerability in Kubernetes. You must install Security Patch 1 to remediate this vulnerability.

For more information about the vulnerability, see https://github.com/kubernetes/kubernetes/issues/71411. For information about the VMware response to the vulnerability, see the VMware Security & Compliance Blog.

Prerequisites

  • Install VMware Integrated OpenStack with Kubernetes 5.1 or upgrade your VMware Integrated OpenStack with Kubernetes deployment to version 5.1.
  • Download VMware Integrated OpenStack with Kubernetes 5.1 Security Patch 1 from the VMware Integrated OpenStack download page.

Procedure

  1. Transfer the VMware Integrated OpenStack with Kubernetes 5.1 Security Patch 1 file to the VMware Integrated OpenStack with Kubernetes appliance.
  2. Log in to the VMware Integrated OpenStack with Kubernetes appliance as the root user.
  3. Decompress and install the patch.
    tar -xzf viok-5.1-hp1.tar.gz
    cd viok-5.1-hp1
    ./install.sh
  4. If you have already deployed Kubernetes clusters, perform the following steps to patch them:
    1. Update each cluster in your deployment.
      vkube cluster update cluster-id

      Run the preceding command once for each cluster. You can use the vkube cluster list command to find the ID of all clusters in your deployment.

    2. Log in to each node in each cluster, restart the kubelet service, and re-create all static pods.
      vkube ssh node-name --cluster-id cluster-id
      sudo systemctl restart kubelet.service
      mkdir backup
      sudo mv /etc/kubernetes/manifests/*.manifest ./backup
      sudo cp ./backup/* /etc/kubernetes/manifests/
      exit

      Run the preceding commands once for each node. You can use the vkube cluster show command with a cluster ID to find the name of each node in the cluster.