Notice on the Kubernetes Security Vulnerability (CVE-2020-8554)

Description

CVE-2020-8554 is a man-in-the-middle (MITM) vulnerability that exists in every version of Kubernetes with the most significant impact on multi-tenant clusters. A potential attacker who has the permissions to create and update Services and pods is able to intercept traffic from other pods or nodes in the cluster. By setting the spec.externalIPs field of a Service, a potential attacker can intercept the traffic of other pods or nodes that access this externalIP (for example, a well-known public IP address) and forward the traffic to a malicious pod created by the attacker, causing a man-in-the-middle attack. For Services, attackers can initiate MITM attacks by modifying the status.loadBalancer.ingress.ip field.

Impact

Multi-tenant clusters;

Clusters of all Kubernetes versions

Solution

You are advised to check all Services that use externalIP and loadBalancerIP to determine whether there are vulnerable Services.

This bug is caused by a design defect in Kubernetes. You can take precautionary measures as follows:

• Restrict the use of externalIP
  • Method 1: Use the Admission Webhook container (k8s.gcr.io/multitenancy/externalip-webhook:v1.0.0). The source code and deployment description are released at https://github.com/kubernetes-sigs/externalip-webhook.
  • Method 2: Use the open source OPA Gatekeeper. The example constraint template and constraints are released at https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/externalip.

• Restrict the use of loadBalancerIP

  The Kubernetes community does not recommend that the cluster administrator assign the patch permissions of the Service and status objects to users in the cluster. Therefore, the community does not provide preventive measures for loadBalancerIP. If you need to restrict the use of loadBalancerIP, you can refer to the preventive measures for externalIP.

Helpful Links

https://github.com/kubernetes/kubernetes/issues/97076