IBM Cloud Private Version 2.1.0.3 hyperkube patch - Readme file

Readme file for: IBM Cloud Private Version 2.1.0.3 hyperkube patch

Product Release: 2.1.0.3

Publication date: December 7, 2018

Last modified date: December 21, 2018

Contents

  1. Overview
  2. Preparing your cluster for the patch
  3. Applying the patch
  4. Validating the patch
  5. Rolling back the patch
  6. List of files
  7. Copyright and trademark information

Overview

This patch fixes the recent Kubernetes security vulnerability, where the proxy request handling in the kube-apiserver can leave vulnerable TCP connections. For full details, see the Kubernetes kube-apiserver vulnerability issue.

This patch supports the Linux® 64-bit and Linux® on Power® (ppc64le) platforms and operating systems that are supported by IBM Cloud Private.

Preparing your cluster for the patch

Make sure the /tmp directory on all master nodes has at least 4 GB of space and has executable permission to apply the patch.

Applying the patch

For environments that have a running IBM Cloud Private cluster, complete the following steps:

  1. On your boot node, download the patch file to your home directory.
  2. Add the executable permission by running the following command:
    chmod +x ~/k8s-hyperkube-2.1.0.3-20181207-18594.patch
  3. Load the patch image by running the following command:
    PATCH_PRELOAD=true ./k8s-hyperkube-2.1.0.3-20181207-18594.patch

  4. Locate your installation cluster directory and create a directory by running the following commands:

    cd /<installation_directory>/cluster
mkdir -p patches/master

  5. Move the patch to the patches/master directory:

    mv ~/k8s-hyperkube-2.1.0.3-20181207-18594.patch patches/master

  6. Disable anonymous user access on all master nodes.

    1. Copy the master.json file to the home directory by running the following command:
      cp /etc/cfc/pods/master.json ~/
    2. Update the master.json file in the home directory to add the anonymous-auth=false parameter for the apiserver. For example:
      "name": "apiserver",
  "imagePullPolicy": "IfNotPresent",
  "command": [
    "/hyperkube",
    "apiserver",
    "--secure-port=8001",
    "--bind-address=0.0.0.0",
    "--anonymous-auth=false",
    3. Copy the master.json file back to the pods directory by running the following command:
      cp ~/master.json /etc/cfc/pods/

  7. Apply the patch by running the applicable command:

    For Linux® 64-bit:

    sudo docker run -e LICENSE=accept --net=host --rm -t -v "$(pwd)":/installer/cluster ibmcom/icp-inception-amd64:3.1.1-ee patch

    For Linux® on Power® (ppc64le):

    sudo docker run -e LICENSE=accept --net=host --rm -t -v "$(pwd)":/installer/cluster ibmcom/icp-inception-ppc64le:3.1.1-ee patch

Validating the patch

  1. Verify that the Kubernetes API Service is patched into the new version. Run the following Kubernetes API command to prepare the token:

    curl -k -H "Authorization:Bearer $ID_TOKEN"  https://<ICP_MASTER_IP>:8001/version | grep "gitVersion"

    The output should show: "gitVersion": "v1.10.11+icp-ee". Refer to Preparing to run API commands to get the ID_TOKEN.

  2. Verify that anonymous authorization is disabled on the Kubernetes API Server by running the following command:

    curl -o -I -L -s -k -w "%{http_code}\n" https://<ICP_MASTER_IP>:8001/version

    If anonymous access is disabled, the following result is returned: 401

    If anonymous access is enabled, the following result is returned: 200

Rolling back the patch

For environments that have a running IBM Cloud Private cluster, run the applicable command:

For Linux® 64-bit:

sudo docker run -e LICENSE=accept --net=host --rm -t -v "$(pwd)":/installer/cluster ibmcom/icp-inception-amd64:3.1.1-ee unpatch

For Linux® on Power® (ppc64le):

sudo docker run -e LICENSE=accept --net=host --rm -t -v "$(pwd)":/installer/cluster ibmcom/icp-inception-ppc64le:3.1.1-ee unpatch

List of files

Table 1. List of IBM Cloud Private version 2.1.0.3 patch files

Description File name
 File extension
IBM Cloud Private 2.1.0.3 patch k8s-hyperkube-2.1.0.3-20181207-18594 .patch
IBM Cloud Private Version 2.1.0.3 hyperkube patch - Readme icp-hyperkube-2.1.0.3-20181207-18594-readme .html

© Copyright IBM Corporation 2018

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.