Balance innovation and agility with security and compliance
risks using a 3-step process across all cloud infrastructure.
Step up business agility without compromising
security or compliance
Everything you need to become a Kubernetes expert.
Always for free!
Everything you need to know about Magalix
culture and much more
An unpatched man-in-the-middle (MiTM) vulnerability has been recently discovered and affects all versions of Kubernetes, as disclosed by Kubernetes Product Security. It's a medium severity security (CVE-2020-8554) issue where attackers, who have the ability to create or edit services and pods, can intercept traffic from other pods (or nodes) in the cluster.
This vulnerability, reported by Etienne Champetier of Anevia, is a design flaw that cannot be mitigated without user-facing changes and a long-term fix is in the works.
In the recently published security advisory, Tim Allclair explained it further:
“An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.”
All Kubernetes versions are affected by this vulnerability, especially multi-tenant clusters that grant tenants the ability to create and update services.
Only a small number of Kubernetes deployments should be affected given the limited use of External IP services in multi-tenant clusters and granting tenant users with patch service/status permissions for LoadBalancer IPs is not recommended.
At this point in time, there’s no patch for this issue and restricting access to vulnerable features is the only way to mitigate it.
Since a long-term fix is still in the works, a few recommendations have been forward for K8s administrators to implement. They include:
It’s not recommended to grant users patch service/status permission but if LoadBalancer IP restrictions are required, the same approach for external IP mitigations written above can be applied.
At Magalix, we're highly experienced in defining, deploying, and managing Kubernetes-focused cloud-native governance policies. To find out more, request a commitment-free consultation.