Remediate Kubernetes vulnerability CVE-2020-8554 with Kyverno

December 9, 2020 In Kyverno By Anubhav Sharma

Remediate Kubernetes vulnerability CVE-2020-8554 with Kyverno

On December 4, 2020, a CVE for man-in-the-middle attack was released by the Kubernetes Security Team where an attacker can patch a service and can intercept and redirect traffic.

This issue affects clusters that are configured for multi-tenancy. Essentially, any user with permissions to create pods and update a service can attack services and pods in another namespace and intercept and redirect traffic. 

An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

There is no patch available for this issue but it can be mitigated with a validating webhook implementation that prevents users from creating services with disallowed IP addresses.

Details 

Here are the details on the CVE-2020-8554: A user with privilege in one namespace can create ClusterIP service and set an externalIP field, redirecting the traffic to the endpoint of their choice.. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Resolution

There is no patch available for this issue. The only resolution options are to manually audit the externalIP configuration for services in your cluster or use a webhook to prevent users from using an unauthorized externalIP.

One simple approach to solving this issue is to use Kyverno, an open-source Kubernetes native policy engine. Kyverno is a Kubernetes native policy engine that can validate, mutate and generate configuration and resources based on conditions. Kyverno’s admission control webhook  can execute a simple policy to prevent externalP’s from getting created or restrict it to set of known IP’s. 

Here is a two-step process to implement the fix with Kyverno: 

Step-1: Deploy Kyverno in your cluster. Instructions available here.

Step-2: Add a policy to prevent or restrict external IP’s using a YAML as shown below –

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
 name: restrict-external-ips
spec:
 validationFailureAction: enforce
 rules:
 - name: check-ips
   match:
     resources:
       kinds:
       - Service
   validate:
     message: "externalIPs are not allowed"
     pattern:
       spec:
         X(externalIPs): nil

There are other sample policies available here.

For any assistance with Kyverno, please open an issue here.

For more information about Kyverno from Nirmata, please see this page or reach-out to Nirmata to start a discussion.

Self-Service Velero Backups with Kyverno
Nirmata donates Kyverno, the Native Kubernetes Policy Engine, to the CNCF
Tags:
No Comments

Sorry, the comment form is closed at this time.