Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.
Kubernetes accomplishes this by organizing application containers into Pods, nodes (physical or virtual machines), and clusters, where multiple nodes form a cluster managed by a master node, which is responsible for coordinating tasks related to the cluster, such as extending, scheduling, or updating applications.
Recently, Kubernetes has exposed a man-in-the-middle vulnerability (CVE-2020-8554). The Kubernetes Product Security Committee has issued a proposal on how to temporarily prevent attackers from exploiting the vulnerability. The vulnerability may enable an attacker to intercept traffic from other Pods in a multi-tenant Kubernetes cluster in a man-in-the-middle (MiTM) attack.
Since the Kubernetes development team has not yet provided a security update to resolve this issue, it is recommended that administrators mitigate CVE-2020-8554 by restricting access to vulnerable functions.
To restrict the use of external IPs we are providing an admission webhook container: k8s.gcr.io/multitenancy/externalip-webhook:v1.0.0. The source code and deployment instructions are published at https://github.com/kubernetes-sigs/externalip-webhook.
Alternatively, external IPs can be restricted using OPA Gatekeeper. A sample ConstraintTemplate and Constraint can be found here: https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/externalip.
To detect attacks that attempt to exploit this vulnerability, users must manually audit the use of external IPs in a multi-tenant cluster using the LoadBalancer or ExternalIPs feature.