Google Cloud Updates on December 20, 2021

Google Kubernetes Engine

Changed

For GKE versions 1.21 and later, newly created clusters will have the DenyServiceExternalIPs admission controller enabled by default, disabling the use of ExternalIPs Services.

For existing clusters, when you upgrade the cluster to GKE version 1.21 or later, the DenyServiceExternalIPs admission controller will not be enabled. Since ExternalIPs Services are not widely used, we recommend manually auditing any external IP usage. You can choose to block ExternalIPs by using the following command:

gcloud container clusters update --no-enable-service-externalips

For more information, refer to Hardening your cluster’s security.

Fixed

A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs.

This issue is fixed in the following GKE versions:

  • 1.22.3-gke.1100 or above
  • 1.21.6-gke.700 or above
  • 1.20.12-gke.700 or above
  • 1.19.16-gke.700 or above

For more information about the CVE, refer to CVE-2021-41103