An unpatched man-in-the-middle (MiTM) vulnerability has been recently discovered and affects all versions of Kubernetes, as disclosed by Kubernetes Product Security. It's a medium severity security (CVE-2020-8554) issue where attackers, who have the ability to create or edit services and pods, can intercept traffic from other pods (or nodes) in the cluster.
This vulnerability, reported by Etienne Champetier of Anevia, is a design flaw that cannot be mitigated without user-facing changes and a long-term fix is in the works.
In the recently published security advisory, Tim Allclair explained it further:
“An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.”
The Impact and the Extent of the Vulnerability
All Kubernetes versions are affected by this vulnerability, especially multi-tenant clusters that grant tenants the ability to create and update services.
Only a small number of Kubernetes deployments should be affected given the limited use of External IP services in multi-tenant clusters and granting tenant users with patch service/status permissions for LoadBalancer IPs is not recommended.
At this point in time, there’s no patch for this issue and restricting access to vulnerable features is the only way to mitigate it.
Recommended Actions for K8s Administrators
Since a long-term fix is still in the works, a few recommendations have been forward for K8s administrators to implement. They include:
- Restricting the use of external IPs by using an admission webhook container. Source code and deployment instructions can be found here.
- Using OPA Gatekeeper to restrict external IPs. A sample ConstraintTemplate and Constraint is published here.
- Manual auditing of any external IP usage
For LoadBalancer IPs
It’s not recommended to grant users patch service/status permission but if LoadBalancer IP restrictions are required, the same approach for external IP mitigations written above can be applied.
At Magalix, we're highly experienced in defining, deploying, and managing Kubernetes-focused cloud-native governance policies. To find out more, request a commitment-free consultation.