Kubernetes Kubelet Checkpoint API Unauthenticated Node Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Kubernetes Kubelet versions 1.30.0 to 1.30.9, 1.31.0 to 1.31.5, and 1.32.0 to 1.32.1. The issue arises when a large number of container checkpoint requests are sent to the unauthenticated Kubelet read-only HTTP endpoint. This flood of requests can fill up the Node's disk, causing a denial-of-service condition. The vulnerability is present when the Kubelet read-only HTTP port is enabled and the container runtime supports checkpointing, such as CRI-O version 1.25.0 and above (with 'enable_criu_support' set to true) or containerd version 2.0 and above with criu installed.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition on the affected Node, causing the disk to fill up and potentially disrupting normal operations.

Remediation

To address this vulnerability, users can upgrade to Kubelet versions 1.32.2, 1.31.6, 1.30.10, or 1.29.14, all of which enforce authentication for the Kubelet Checkpoint API. Alternatively, the ContainerCheckpoint feature gate can be set to false, the Kubelet read-only port can be disabled, and access to the Kubelet API can be limited.