<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=521127644762074&amp;ev=PageView&amp;noscript=1">

Kubernetes CVE, Symlink Exchange: Identify Containers Running as Root

Symlink Exchange Can Allow Host Filesystem Access

A high severity security issue (CVE-2021-25741) was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files and directories outside of the volume, including on the host filesystem.

While this vulnerability is rated a High Severity, it requires pre-existing permissions and access to exploit. As stated in the CVE, preventing containers from running as root will reduce the impact of successful implementation of the CVE.

The issue affects the kubelet in the following Kubernetes versions:

<=v1.19.14 

v1.22.0-v1.22.1 

v1.21.0-v1.21.4 

v1.20.0-v1.20.10

If you want to mitigate the issue without updating to a patched version of Kubernetes, there are mitigation steps in the originating Github issue.

How to identify if Kubernetes containers are running as root

Users should follow the mitigation steps. In addition, it’s important to identify containers running as root as it’s not just a problem for this CVE. 

If you have one or two clusters, you can use Polaris, an open source tool by Fairwinds. This will help you identify if you have any containers running at root so you can make the right fixes. 

If you have multiple clusters with many containers, this is where it gets more complicated. A manual audit is going to take time. Using Fairwinds Insights, you can check multiple clusters across multiple teams with a dashboard view into what containers are running as root. It includes remediation advice so your team can make those changes quickly. By continuously scanning those clusters, you’ll be able to see when the fix was made. 

Start a Fairwinds Insights Trial