This is a volume security issue related to permission access. A user can access files and directories outside the volume mounting directory, including the host’s file system, through the volume mounting method of
subpath in the created container.
This vulnerability affects related behaviors of
kubelet, and the issue is particularly serious for cluster administrators who may strictly restrict the creation of
This vulnerability is rated as medium-risk with a
CVSS score of 5.5.
For users who do not want to upgrade kubelet, they can use two preventative measures:
kube-apiserverand remove all
podsthat are using this feature.
admission controlto prevent users with low trust levels from running the container with the
Fixed by official
Fixed by KLTS
- v1.18.20-lts.1 kubernetes/kubernetes#104253
- v1.17.17-lts.1 TODO
- v1.16.15-lts.1 TODO
- v1.15.12-lts.1 TODO
- v1.14.10-lts.1 TODO
- v1.13.12-lts.1 TODO
- v1.12.10-lts.1 TODO
- v1.11.10-lts.1 TODO
- v1.10.13-lts.1 TODO
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.