To enable nodes in a Kubernetes cluster to access services that listen on 127.0.0.1,
the Linux kernel parameter
net.ipv4.conf.all.route_localnet is set to 1 for kube-proxy in both iptables and ipvs modes. This causes a security
vulnerability. An attacker may log on to a container connected to the network of a
target host or an adjacent host of the target host in the same local area network
(LAN). Then, the attacker attempts to access TCP and UDP services that are deployed
on the target host and listen on 127.0.0.1. If a TCP or UDP service does not require
authentication, the attacker may access the service. This causes data breaches.
- kube-proxy v1.18.0~v1.18.3
- kube-proxy v1.17.0~v1.17.6
- kube-proxy <v1.16.10
By default, in a Kubernetes cluster, users must be authenticated to access services that listen on 127.0.0.1, and kube-apiserver disables unprotected ports. Therefore, this vulnerability does not affect Kubernetes clusters. The kubelet service opens read-only port 10255 that is bound to 0.0.0.0 but does not require user authentication. Attackers can access the kubelet service from containers that use the host network or privileged containers through port 10255 even if the vulnerability is fixed. <input tabindex="-1" class="dnt" readonly="readonly" value="Do Not Translate">
Assume that an attacker has the permission to configure a host network or log on to a container that has CAP_NET_RAW enabled. The attacker may exploit this vulnerability to obtain the socket addresses of services that listen on 127.0.0.1. If services on a node listen on 127.0.0.1 and does not authenticate users, an attacker may exploit this vulnerability to access the services. For more information, see CVE-2020-8558.
- If kube-apiserver opens the unprotected port, an attacker may exploit this vulnerability to access the kube-apiserver information. In this case, this vulnerability has high severity and is scored 8.8. The default unprotected port for kube-apiserver is 8080.
- If kube-apiserver disables the unprotected port, this vulnerability has medium severity and is scored 5.4.
- Host that are connected to the same VSwitch as the target host
- Containers that run on the target host
- Do not open the unprotected port of kube-apiserver. The default unprotected port is 8080. By default, this port is disabled.
- Run the following command to configure an iptables rule for each node in the cluster.
This rule blocks traffic that is sent from other nodes to 127.0.0.1.
iptables -I INPUT --dst 127.0.0.0/8 ! --src 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
- Restrict user permissions to log on to cluster nodes. For example, you can invalidate kubeconfig files that may have been leaked to malicious users.
- Do not enable CAP_NET_RAW for containers. If this feature is enabled, run the following
command to disable it:
securityContext: capabilities: drop: ["NET_RAW"]
- Use PodSecurityPolicy to restrict the deployment of privileged containers and containers that use the network of the host. You can also disable CAP_NET_RAW for containers by configuring the requiredDropCapabilities parameter in the policy.