To enable nodes in a Kubernetes cluster to access services that listen on 127.0.0.1,
the Linux kernel parameter net.ipv4.conf.all.route_localnet
is set to 1 for kube-proxy in both iptables and ipvs modes. This causes a security
vulnerability. An attacker may log on to a container connected to the network of a
vulnerable host or an adjacent host of the vulnerable host in the same local area
network (LAN). Then, the attacker attempts to access TCP and UDP services that are
deployed on the vulnerable host and listen on 127.0.0.1. If a TCP or UDP service does
not require authentication, the attacker may access the service. This causes data
breaches.
Affected versions
- kube-proxy v1.18.0~v1.18.3
- kube-proxy v1.17.0~v1.17.6
- kube-proxy V1.16.10 and earlier
By default, in a Kubernetes cluster, users must be authenticated to access services that listen on 127.0.0.1, and kube-apiserver disables unprotected ports. The kubelet service opens read-only port 10255 that is bound to 0.0.0.0 but does not require user authentication. Attackers can access the kubelet service from containers that use the host network or privileged containers through port 10255 even if the vulnerability is fixed. Therefore, this vulnerability has little impact on the ACK cluster.
Impacts
Assume that an attacker has the permission to configure a host network or log on to a container that has CAP_NET_RAW enabled. The attacker may exploit this vulnerability to obtain the socket addresses of services that listen on 127.0.0.1. If services on a node listen on 127.0.0.1 and the services do not require user authentication, an attacker may exploit this vulnerability to access the services. For more information, see Issue.
- If kube-apiserver opens the unprotected port, an attacker may exploit this vulnerability to access the kube-apiserver information. In this case, this vulnerability has high severity and is scored 8.8. The default unprotected port for kube-apiserver is 8080.
- If kube-apiserver disables the unprotected port, this vulnerability has medium severity and is scored 5.4.
- Hosts that are connected to the same vSwitch as the vulnerable host
- Containers that run on the vulnerable host
Preventative measures
- Do not open the unprotected port of kube-apiserver. The default unprotected port is 8080. By default, this port is disabled.
- Run the following command to configure an iptables rule for each node in the cluster.
This rule blocks traffic that is sent from other nodes to 127.0.0.1.
iptables -I INPUT --dst 127.0.0.0/8 ! --src 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
- Control user permissions to log on to cluster nodes. For example, you can invalidate kubeconfig files that may have been leaked to malicious users.
- Do not enable CAP_NET_RAW for containers. If this feature is enabled, run the following
command to disable it:
securityContext: capabilities: drop: ["NET_RAW"]
- Use PodSecurityPolicy to control the deployment of privileged containers and containers that use the network of the host. You can also disable CAP_NET_RAW for containers by configuring the requiredDropCapabilities parameter in the policy.