The Kubernetes community has disclosed this security vulnerability. Unauthenticated attackers can send excessive container checkpoint requests to the kubelet read-only HTTP port, rapidly exhausting disk space and enabling denial-of-service (DoS) attacks against cluster nodes.
This vulnerability has been assessed as medium severity with a Common Vulnerability Scoring System (CVSS) score of 6.4. For more details, see #130016.
Affected scope
Clusters are affected only if both these conditions are met:
The kubelet read-only HTTP port is enabled.
The container runtime supports the container checkpoint feature. This includes configurations such as CRI-O v1.25.0+ with
enable_criu_supportset totrue, or containerd v2.0+ withcriuinstalled.
ACK clusters are not affected by default:
The checkpoint interface is unsupported in ACK's default node runtime configuration.
The kubelet read-only unauthenticated port is disabled by default.
Vulnerable versions
kubelet v1.32.0 - v1.32.1
kubelet v1.31.0 - v1.31.5
kubelet v1.30.0 - v1.30.9
Patched versions
kubelet master
kubelet v1.32.2
kubelet v1.31.6
kubelet v1.30.10
kubelet v1.29.14
Kubelet v1.25 to v1.29 have the container checkpoint interface disabled by default as an alpha feature and are not affected.
Detection
Signs of potential exploitation include:
A surge in requests to the
/checkpointinterface on the kubelet read-only HTTP port.A large number of checkpoint files in the default directory path
/var/lib/kubelet/checkpointson the node.
Mitigation
If your cluster uses non-default configurations for kubelet or runtimes, apply the following measures:
Continuously monitor disk usage on cluster nodes.
Disable the ContainerCheckpoint feature gate on nodes for kubelet.
Disable the kubelet read-only unauthenticated port.