Securing IGM Cloud Container Services

By Ralph Bateman, IBM (Original post here) 


What’s happening

We’re taking action to secure our IBM Cloud Container Service against the recent Spectre and Meltdown security vulnerabilities.
We’ve been working closely with our vendors and IBM Cloud Infrastructure teams concerning the security vulnerability announced on January 3, 2018. This vulnerability has the potential to allow those with malicious intent to gather sensitive data from computing devices. Intel believes these exploits do not have the potential to corrupt, modify, or delete data.

Click here to start your 1-year free trial of Cloud Container Service

What’s been done

The hypervisors have already been patched (see IBM Cloud Infrastructure Blog). Now, the kernel for all VMs that run Kubernetes worker nodes must be updated.

We have updated the cloud image that is used to create IBM Cloud Container Service standard clusters. The update includes the vulnerability mitigation updates as recommended by Ubuntu (see Ubuntu Spectre and Meltdown).


How do I mitigate the issue

As a consumer of the service, you should take action to mitigate the issue in your worker nodes. You can choose between the following options:
  • ReloadReload the configuration files of your Kubernetes cluster worker nodes. To reload, run bx cs worker-reload <my_cluster> <worker_node1> <worker_node2>.
  • UpdateUpdate the version of your Kubernetes cluster worker nodes. This might require that you update your deployment YAML files. See the release notes for more details. To update, run bx cs worker-update <my_cluster> <worker_node1> <worker_node2>.
When you reload or update your worker nodes, they reboot and install the new image. After the worker nodes reload or updateverify that your Kubernetes pods are recreated on the worker nodes.

Lite clusters will be patched beginning Monday 15th January by the IBM Cloud Container Service SRE automation.


How to check my version

You can check the version of your workers using the “bx cs workers <my_clusterid>”

Your cluster should be on of the following versions:

  • 1.5.6_1506
  • 1.7.4_1506
  • 1.8.6_1504
Get your 1-year free trial of Cloud Container Service

Related content


Developer talk: Speed up digital transformation

Free Trial / Demo

Get your 1-year free trial of IBM Cloud Kubernetes Service

Back to top