The Kubernetes community has disclosed the CVE-2020-8562 vulnerability. An attacker can bypass the proxy IP limit imposed by the API server and access the Kubernetes control plane components in the private network of a cluster. This results in unauthorized access. This topic describes the impacts, affected Kubernetes versions, and fixes of this vulnerability.

The CVE-2020-8562 vulnerability is rated low and the Common Vulnerability Scoring System (CVSS) score of the vulnerability is 2.2.


For security reasons, the Kubernetes community has forbidden user-driven connections to the internal proxy of Services, pods, nodes, and StorageClasses. When Kubernetes forbids the connections, Kubernetes performs a DNS resolution and checks whether the IPs requested by the proxy are within the link-local ( or localhost ( range. Then, Kubernetes performs a second DNS resolution without validating the requested IP addresses. If a non-standard DNS server returns different non-cached responses, an attacker can bypass the proxy IP limit by using a race condition and access the control plane components in the private network.

An attacker can bypass the proxy IP limit on the condition that the attacker can create or modify nodes and the attacker can access nodes by using the proxy. The attacker can also create or modify StorageClasses and access the log of kube-controller-manager.


Check whether address not allowed exists in the audit log of the API server. If a large number of entries are found, the Kubernetes cluster may be affected by this vulnerability.
Note If the API server is not affected by this vulnerability, the audit log of the API server does not contain address not allowed.

Affected versions

kube-apiserver that is installed in the following Kubernetes versions is affected by this vulnerability:

  • Kubernetes ≤ v1.21.0
  • Kubernetes ≤ v1.20.6
  • Kubernetes ≤ v1.19.10
  • Kubernetes ≤ v1.18.18

The Kubernetes community has not released the patched Kubernetes versions.


Follow the principle of least privilege and control the permissions to create and modify nodes and StorageClasses.