A new Kubernetes security vulnerability was recently announced, along with patch releases for the issue for Kubernetes versions 1.13, 1.14, and 1.15. CVE-2019-11247 discloses a serious vulnerability in the K8s API that could allow users to read, modify or delete cluster-wide custom resources, even if they only have RBAC permissions for namespaced resources.
If your clusters aren’t using , you aren’t affected. But CRDs have become a critical component of many Kubernetes-native projects like Istio, so many users are impacted. This vulnerability also doesn’t affect you if your clusters run without Kubernetes RBAC, but that puts you at an even greater risk than this vulnerability does. We still strongly recommend enabling and using Kubernetes RBAC.