A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Kubernetes | Kubernetes | * | 1.18.18 (excluding) |
| Kubernetes | Kubernetes | 1.19.0 (including) | 1.19.10 (excluding) |
| Kubernetes | Kubernetes | 1.20.0 (including) | 1.20.6 (excluding) |
| Red Hat OpenShift Container Platform 4.8 | RedHat | openshift-0:4.8.0-202107161820.p0.git.051ac4f.assembly.stream.el8 | * |
| Kubernetes | Ubuntu | groovy | * |
| Kubernetes | Ubuntu | hirsute | * |
| Kubernetes | Ubuntu | impish | * |
| Kubernetes | Ubuntu | kinetic | * |
| Kubernetes | Ubuntu | lunar | * |
| Kubernetes | Ubuntu | mantic | * |