CVE-2019-11245

Name of the Vulnerable Software and Affected Versions kubelet versions 1.13.6 through 1.14.2

Description The issue concerns containers for pods that do not specify an explicit runAsUser, which attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If a pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. However, if the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.

Recommendations For kubelet versions 1.13.6 through 1.14.2, consider specifying mustRunAsNonRoot: true for pods to prevent them from running as root. As a temporary workaround, ensure that all pods specify an explicit runAsUser to avoid running containers as uid 0. Restrict access to containers that do not specify mustRunAsNonRoot: true to minimize the risk of exploitation.