Allele Security Alert
Secret content disclosure in metrics
Cloud Native Computing Foundation
Kubernetes kube-state-metrics versions v1.7.0 and v1.7.1
Kubernetes kube-state-metrics version v1.7.2
Proof of concept
An experimental feature was added to the v1.7.0 release that enabled annotations to be exposed as metrics. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default `kubectl` behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics.
If you are unable to upgrade to the latest version of kube-state-metrics, you can filter out all of the annotation metrics by passing the following flag to
[ANNOUNCE] Security release of kube-state-metrics v1.7.2
coreos / kube-state-metrics
Release v1.7.2 / 2019-08-05 · kubernetes/kube-state-metrics
add kube_*_annotations metrics for all objects
Revert “add kube_*_annotations metrics for all objects”
Remove kube_namespace_annotations metric
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 23, 2019