On December 4, 2020, a CVE for man-in-the-middle attack was released by the Kubernetes Security Team where an attacker can patch a service and can intercept and redirect traffic.
This issue affects clusters that are configured for multi-tenancy. Essentially, any user with permissions to create pods and update a service can attack services and pods in another namespace and intercept and redirect traffic.
An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
There is no patch available for this issue but it can be mitigated with a validating webhook implementation that prevents users from creating services with disallowed IP addresses.
Here are the details on the CVE-2020-8554: A user with privilege in one namespace can create ClusterIP service and set an externalIP field, redirecting the traffic to the endpoint of their choice.. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
There is no patch available for this issue. The only resolution options are to manually audit the externalIP configuration for services in your cluster or use a webhook to prevent users from using an unauthorized externalIP.
One simple approach to solving this issue is to use Kyverno, an open-source Kubernetes native policy engine. Kyverno is a Kubernetes native policy engine that can validate, mutate and generate configuration and resources based on conditions. Kyverno’s admission control webhook can execute a simple policy to prevent externalP’s from getting created or restrict it to set of known IP’s.
Here is a two-step process to implement the fix with Kyverno:
Step-1: Deploy Kyverno in your cluster. Instructions available here.
Step-2: Add a policy to prevent or restrict external IP’s using a YAML as shown below –
apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: restrict-external-ips spec: validationFailureAction: enforce rules: - name: check-ips match: resources: kinds: - Service validate: message: "externalIPs are not allowed" pattern: spec: X(externalIPs): nil
There are other sample policies available here.
For any assistance with Kyverno, please open an issue here.
For more information about Kyverno from Nirmata, please see this page or reach-out to Nirmata to start a discussion.