The past few weeks sent the Kubernetes developer community scrambling to address a Kubernetes API security flaw. Specifically, parsing YAML manifests by the Kubernetes API server opened the service up to potential denial of service attacks. A particular type of DoS attack, the Billion Laughs attack, was named as the biggest threat because of its targeting of parsers to carry out the attack.
Access to the Kubernetes API is backed by the Kubernetes apiserver. The apiserver validates and authenticates connections. The API accepts YAML manifests as one of its payloads. However, the apiserver conducts no input validation on the uploaded YAML manifests. Neither does it impose hard limits on the size of the file. Here lies the exposure.
Kubernetes has not yet addressed the flaw publicly; so, no known DoS reports have been reported. Further, it has not yet released a security patch for the vulnerability. Stackrox, who reported the vulnerability in the API repository, suggests that a fix to the apiserver code is necessary to adequately protect against the vulnerability.