Due to a regression within Kubernetes and recent security fixes addressed as of Kubernetes 1.8.9 and 1.9.4, we recommend all users to upgrade to the following Kubernetes versions:
For Rancher v1.6.14, which is our current stable release, Kubernetes 1.8.10 is now available.
For Rancher v1.6.15, which is our current beta release, Kubernetes 1.9.5 is now available.
Security Vulnerabilities addressed as of Kubernetes v1.8.9 and Kubernetes v1.9.4:
The vulnerability CVE-2017-1002101 allows containers to use a subpath volume mount with any volume types to access files outside of the volume. This means that if you are blocking container access to hostpath volumes with PodSecurityPolicy, an attacker with the ability to update or create pods can mount any hostpath using any other volume type.
The vulnerability CVE-2017-1002102 allows containers using certain volume types - including secrets, config maps, projected volumes, or downward API volumes - to delete files outside of the volume. This means that if a container using one of these volume types is compromised, or if you allow untrusted users to create pods, an attacker could use that container to delete arbitrary files on the host.
Rancher is securing the kubelet port 10250 by no longer allowing anonymous access and requiring a valid cert. This is the port that is used by the kubernetes api-manager-to-kubelet communication and keeping this exposed will allow anonymous access to your compute node. Upgrading to the latest kubernetes version will resolve this issue. You can also visit the Rancher Docs site for specific instructions on how to secure your kubernetes cluster without upgrading your environment if you have not already done so previously.