The Kubelet has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
Created kubernetes tracking bugs for this issue: Affects: fedora-all [bug 1816405] Created origin tracking bugs for this issue: Affects: fedora-all [bug 1816406]
Mitigation: Prevent unauthenticated or unauthorized access to the Kubelet API
Probably the reason kubelets before 1.15.0 are unaffected is the lack of this commit, which added kubelet http metrics: https://github.com/kubernetes/kubernetes/commit/538cd87864ee18fa0ae31b20b39728ada6f2f9ba Comparing against a 4.x cluster, 3.11 clusters do not have 'kubelet_http*' metrics available: OCP 4.3: $ curl -s -k <cert_creds> https://localhost:10250/metrics | grep kubelet_http # HELP kubelet_http_inflight_requests [ALPHA] Number of the inflight http requests # TYPE kubelet_http_inflight_requests gauge kubelet_http_inflight_requests{long_running="false",method="GET",path="",server_type="readwrite"} 0 kubelet_http_inflight_requests{long_running="false",method="GET",path="metrics",server_type="readwrite"} 1 ... OCP 3.11: $ curl -s -k <cert_creds> https://localhost:10250/metrics | grep -kubelet_http $ So I think it's safe to say OCP 3.11 is notaffected.
*** Bug 1816378 has been marked as a duplicate of this bug. ***
External References: https://groups.google.com/forum/#!topic/kubernetes-security-announce/2UOlsba2g0s https://github.com/kubernetes/kubernetes/issues/89377
Statement: By default, OpenShift Container Platform does not allow unauthenticated access to the Kubelet API. OpenShift Container Platform versions before 4.2 are not affected by this vulnerability as they are based on earlier versions of Kubernetes which do not include metrics for the Kubelet HTTP server.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:1276 https://access.redhat.com/errata/RHSA-2020:1276
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8551
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:1277 https://access.redhat.com/errata/RHSA-2020:1277