A vulnerability has been found in kube-apiserver of Kubernetes that may allow node updates to bypass a validating admission webhook in some scenarios. This topic describes the kube-apiserver versions that are affected by this vulnerability. This topic also describes the impacts and fixes of this vulnerability.

The CVE-2021-25735 vulnerability is rated medium and the Common Vulnerability Scoring System (CVSS) score of the vulnerability is 3.0.

Affected versions

Only Kubernetes clusters that use a validating admission webhook are affected. The validating admission webhook relies on the original values of certain fields before node updates.

The following kube-apiserver versions are affected by this vulnerability:

  • kube-apiserver v1.20.0 to v1.20.5
  • kube-apiserver v1.19.0 to v1.19.9
  • kube-apiserver<=v1.18.17

This vulnerability is fixed in the following kube-apiserver versions:

  • kube-apiserver v1.21.0
  • kube-apiserver v1.20.6
  • kube-apiserver v1.19.10
  • kube-apiserver v1.18.18

Impacts

Note
  • If your cluster uses the default settings and no new validating admission webhook is used, your cluster is not affected by this vulnerability.
  • The default NodeRestriction admission plug-in is not affected by this vulnerability.

If a webhook that uses the validating admission mechanism for node updates exists in your cluster and the admission of the webhook relies on the original values of certain fields before node updates, an attacker can bypass the validating admission webhook and modify node properties.

Fixes

If the preceding validating admission webhook exists in your cluster, the validating admission mechanism cannot be secured before you upgrade the cluster to a patched version. Control the permissions on node updates by managing the role-based access control (RBAC) permissions. For more information, see Assign RBAC roles to a RAM user.