Hi,
In this article I would like share with you a new vulnerability against Azure Kubernetes.
Title: Node disk DOS by writing to container /etc/hosts
CVE: CVE-2020-8557
Description:
The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.
Any clusters allowing pods with sufficient privileges to write to their own /etc/hosts files are affected. This includes containers running with CAP_DAC_OVERRIDE in their capabilities bounding set (true by default) and either UID 0 (root) or a security context with allowPrivilegeEscalation: true (true by default).
Affected versions:
kubelet v1.18.0-1.18.5
kubelet v1.17.0-1.17.8
kubelet < v1.16.13
Fixed versions:
AKS v1.15.11*, v1.15.12* .
AKS v1.16.10* and v1.16.13+
AKS v1.17.7* and v1.17.9+
AKS v1.18.6+
Maxime.