kubernetes · k8s-github-robot · Oct 11, 2017 · Oct 10, 2017 · Oct 10, 2017 · Oct 10, 2017
diff --git a/docs/advisories/cve_2017_14491.md b/docs/advisories/cve_2017_14491.md
@@ -1,35 +1,59 @@
 # CVE-2017-14491
 
-A vulnerability in dnsmasq, used by kube-dns, requires an upgrade to the kube-dns component. This component is the default DNS component installed in Kubernetes.  The vulnerability may be externally exploitable. Links below exist with the full detail
-of the CVE. This is not a Kubernetes specific vunerability, but exists in dnsmasq.
+A vulnerability in dnsmasq, used by kube-dns, requires an upgrade to the
+kube-dns component. This component is the default DNS component installed in
+Kubernetes.  The vulnerability may be externally exploitable. Links below exist
+with the full detail of the CVE. This exploit is not a Kubernetes specific vulnerability but exists in dnsmasq.
 
 ## Current kops Status
 
-As of 2017/10/08 `kops` fixes are not in a released `kops` version, but you are
-able to hotfix any Kubernetes cluster that is 1.4.x or higher.
+`kop` release 1.7.1 addresses this CVE.  This version of `kops` will upgrade and
+create clusters. `kops` 1.8.x release does not contain the required changes.
+
+## Upgrading Cluster
+
+To update a cluster.  The kube-dns deployment will be automatically upgraded.
+Replace `my-cluster.example.com` with the name of your cluster.  If you are
+upgrading a Kubernetes 1.4.x or 1.5.x cluster you may need to follow  the
+instruction below to create a required confimap for kube-dns.
+
+```bash
+kops update cluster --yes --name my-cluster.example.com
+```
+
+Validate the change was applied to the deployment:
+
+```bash
+kubectl get deployment -n kube-system kube-dns \
+-o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
+```
+
+The upgrade is will occur once the channels utilty picks up the change within a
+few mintues.
 
 ## Tested Kubernetes Versions
 
-Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have been fully tested with the new version of `kube-dns` deployment.  Other versions should function, but upgrading
-to fully tested version is recommend. We have had 1.4.x users upgrade successfully,
-but we cannot validate full production stability.  Local testing in a non-production
-environment is always recommended. We are not able to quatify the risk of using
-a non-tested version.
+Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have been fully tested with
+the new version of `kube-dns` deployment.  Other versions should function, but
+upgrading to tested version is recommended. We have had 1.4.x users upgrade
+successfully, but we cannot validate full production stability.  Local testing
+in a non-production environment is always recommended. We are not able to
+quatify the risk of using a non-tested version.
 
 ## Fixed kops releases
 
-We are planning releasing fixes in both new 1.7.x and 1.8.x kops releases.
-Fixes are in master, but not yet released as of 2017/10/08. We will update this document when releases are available. You are able to continue to use kops, and
-apply the hotfix.  kops should not downgrade the hotfix.
+We are planning to release in 1.8.x kops releases. 1.7.1 release is released with
+the needed changes. If you are using the 1.8.x alpha releases, we recommend
+applying the hotfixes.
 
 ### Fixed kops Version Matrix
 
 | kops Version  | Fixed  | Released | Will Fix | URL |
 |---|---|---|---|---|
+| 1.7.1  | Y  | Y | N/A | [here](https://github.com/kubernetes/kops/releases/tag/1.7.1) |
 | master | Y  | N | N/A | [here](https://github.com/kubernetes/kops) |
 | 1.8.0  | N  | N | Y | N/A |
 | 1.8.0.alpha.1  | N  | Y | N | N/A |
-| 1.7.1  | Y  | N | N | N/A |
 | 1.7.0  | N  | Y | N | N/A |
 
 ## kops PR fixes
@@ -43,30 +67,37 @@ apply the hotfix.  kops should not downgrade the hotfix.
 
 ## Hotfix Instructions
 
-The minimal fix is to just update the container for the pods using dnsmasq.  You are able to apply this fix without downtime.  Hot fix instruction differ between Kuberentes releases.  The newer version of `kube-dns` includes the `k8s-dns-dnsmasq-nanny-amd64` container.
+The minimal fix is just to update the container for the pods using dnsmasq.  You
+are able to apply this fix without downtime.  Hotfix instruction differ between
+Kubernetes releases.  The newer version of `kube-dns` includes the
+`k8s-dns-dnsmasq-nanny-amd64` container.
 
-### Kuberentes Versions 1.6.x and higher
+### Kubernetes Versions 1.6.x and higher
 
 #### Installation of Hot Fix
 
 Apply the update to the container:
 
 ```bash
-kubectl set image deployment/kube-dns -n kube-system dnsmasq=gcr.io/google_containers/k8s-dns-dnsmasq-amd64:1.14.5
+kubectl set image deployment/kube-dns -n kube-system \
+ dnsmasq=gcr.io/google_containers/k8s-dns-dnsmasq-amd64:1.14.5
 ```
 
 Validate the change was applied to the deployment:
 
 ```bash
-kubectl get deployment -n kube-system kube-dns -o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
+kubectl get deployment -n kube-system kube-dns \
+ -o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
 ```
 
 #### Validation
 
 To verify that pods were deployed:
 
 ```bash
-kubectl get pods -n kube-system -o custom-columns=NAME:.metadata.name,IMAGE:.spec.containers[*].image -l k8s-app=kube-dns
+kubectl get pods -n kube-system -o \
+ custom-columns=NAME:.metadata.name,IMAGE:.spec.containers[*].image \
+ -l k8s-app=kube-dns
 ```
 
 
@@ -78,14 +109,15 @@ kube-dns-1100866048-3lqm0   gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64
 kube-dns-1100866048-tjlv2   gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5,gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5,gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5
 ```
 
-### Kuberentes Versions 1.4.x - 1.5.x
+### Kubernetes Versions 1.4.x - 1.5.x
 
-Check to see if you have the new configmap for kube-dns.  A configmap is required
-for the 1.14.5 containers, and kube-dns will _NOT_ start without the configmap.
+Check to see if you have the new configmap for kube-dns.  A configmap is
+required for the 1.14.5 containers, and kube-dns will _NOT_ start without the
+configmap.
 
 #### Installation of Dependencies
 
-```console
+```bash
 kubectl -n kube-system get configmap kube-dns
 ```
 
@@ -100,18 +132,22 @@ kubectl create configmap -n kube-system kube-dns
 Upgrade the kube-dns container to the new version.
 
 ```bash
-kubectl set image deployment/kube-dns -n kube-system dnsmasq=gcr.io/google_containers/k8s-dns-dnsmasq-amd64:1.14.5
+kubectl set image deployment/kube-dns -n kube-system \
+ dnsmasq=gcr.io/google_containers/k8s-dns-dnsmasq-amd64:1.14.5
 ```
 
 Validate the change was applied to the deployment:
 
 ```bash
-kubectl get deployment -n kube-system kube-dns -o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
+kubectl get deployment -n kube-system kube-dns \
+ -o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
 ```
 To verify that pods were deployed:
 
 ```bash
-kubectl get pods -n kube-system -o custom-columns=NAME:.metadata.name,IMAGE:.spec.containers[*].image -l k8s-app=kube-dns
+kubectl get pods -n kube-system -o \
+ custom-columns=NAME:.metadata.name,IMAGE:.spec.containers[*].image \
+  -l k8s-app=kube-dns
 ```
 
 You should see version 1.14.5 for the dnsmasq pod
@@ -126,4 +162,4 @@ _TODO_ if someone wants to provide the output.
 
 ## Thanks
 
-Thanks to @mikesplain, @chrislovecnm, @snoby, @justinsb, @3h4x
+Thanks to all that helped @mikesplain, @chrislovecnm, @snoby, @justinsb, @3h4x