Alibaba Cloud has fixed vulnerability CVE-2018-18264 in Kubernetes Dashboard for Container Service for Kubernetes (ACK). This topic describes the Kubernetes Dashboard versions that are affected by the vulnerability and how to fix the vulnerability. The built-in Kubernetes Dashboard of ACK is managed by Alibaba Cloud and it is optimized for enhanced security, and therefore is not affected.
Background
Vulnerability CVE-2018-18264 is discovered by the Kubernetes community. Authentication may be skipped and cluster credentials may be compromised when a user logs on to Kubernetes Dashboard 1.10 or earlier.
The built-in Kubernetes Dashboard of ACK is managed by Alibaba Cloud and it is optimized for enhanced security, and therefore is not affected.
Affected versions
ACK clusters where Kubernetes Dashboard 1.10 or earlier (V1.7.0 to V1.10.0) is deployed as an independent service, support logon to Kubernetes Dashboard, and use custom certificates.
Fixes
-
If you do not want to deploy Kubernetes Dashboard as an independent service, you can run the following command to delete Kubernetes Dashboard from your clusters:
kubectl --namespace kube-system delete deployment kubernetes-dashboard -
If you need to deploy Kubernetes Dashboard as an independent service, upgrade Kubernetes Dashboard to V1.10.1. For more information, see Upgrade Kubernetes Dashboard.
-
Kubernetes Dashboard that is provided by ACK is managed by Alibaba Cloud and it is optimized for enhanced security. Therefore, it is not affected. You can continue to use Kubernetes Dashboard that is provided by ACK in the ACK console.