CVE-2020-8554: MiTM vulnerability affects all Kubernetes versions

Kubernetes  (K8s for short) is an open source for managing containerized applications on multiple hosts in the cloud platform. The goal of Kubernetes is to make deploying containerized applications simple and efficient. Kubernetes provides application deployment, planning, and update , A mechanism for maintenance. K8s was first developed by Google and is currently maintained by the Cloud Native Computing Foundation.

overview

Researchers found a design in K8s that affects all K8s versions, allowing tenants to create and update multi-tenant clusters of services to become the most vulnerable target. If an attacker can create or edit a service or pod, it may be able to intercept traffic from other pods in the cluster. If an arbitrary external IP is used to create a service, the traffic to that IP in the cluster will be routed to the service, so that an attacker who has the authority to use the external IP to create a service can intercept the traffic of any target IP.

The CVE-2020-8554 is a medium-risk vulnerability. An attacker with basic tenant rights such as creating and editing services and pods can remotely exploit the vulnerability without any user interaction.

Because the External IP (external IP) service is not widely used in multi-tenant clusters, and the patch service/status permissions granted to the tenant LoadBalancer IP are not recommended, the only affects a small number of Kubernetes deployments.

How to block CVE-2020-8554 exploits

Although the Kubernetes development team has not yet provided a security patch, the Kubernetes Product Security Committee has provided suggestions on how to temporarily block the exploit. It is recommended to address the CVE-2020-8554 by restricting access to vulnerable features. In addition, you can also use the admission webhook container to restrict the use of external IP. For the source code and deployment guide, please refer to https://github.com/kubernetes-sigs/externalip-webhook

Use Open Policy Agent Gatekeeper policy controller to realize the restriction on external IP, please refer to: https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/externalip