Vulnerability CVE-2020-8554 is disclosed by the Kubernetes community. Attackers can exploit this vulnerability to perform man-in-the-middle (MITM) attacks by using load balancers or external IP addresses. Attackers can create Services and then set the status field or other fields to intercept traffic from desired pods in a multi-tenant cluster.

The Common Vulnerability Scoring System (CVSS) score of this vulnerability is 3.0. The severity level is medium.

Impact scope

Clusters of all Kubernetes versions are affected. This vulnerability is caused by security defects in the design of Kubernetes. For more information about the fixing plan, see issue 97110.

If your ACK cluster is a multi-tenant cluster or runs applications that are deployed by untrusted users, your cluster is vulnerable to attacks. To check whether your cluster is under attack, check the audit log of the API server and search for events of patching to the status field of Services in your cluster. For more information, see View log details.

Description

In a multi-tenant cluster, attackers can intercept traffic that is forwarded to a desired Service in the following ways:
  • Create a ClusterIP type Service and set the externalIP field in the spec parameter of the Service to a desired IP address. This way, traffic that is sent to this IP address is intercepted and forwarded to the created Service.
  • Set the spec.loadBalancerIP field and patch the status.loadBalancer.ingress.ip field of a LoadBalancer type Service. This way, traffic that is sent to the original IP address is intercepted and forwarded to the modified IP address.

Prevention and mitigation

The Kubernetes community has not released any solution to fix this vulnerability because great changes to the design of Kubernetes may be required. It may take a longer period of time to release the solution. To prevent attacks caused by this vulnerability, we recommend that you implement the following measures:
  • Limit the use of external IP addresses:
    • Use admission webhooks to authenticate and authorize the use of external IP addresses. For more information about the source code and deployment of the admission webhook that is provided by Kubernetes, see externalip-webhook.
    • Use Open Policy Agent (OPA) Gatekeeper to limit the range of external IP addresses that can be used. For more information, see Introduction. For more information about the sample templates of ConstraintTemplate and Constraint, see externalip.
  • Limit the use of IP addresses by LoadBalancer type Services:
    • Reduce the permissions to the minimum extent on patching the status field of Services.
    • You can also use admission webhooks or OPA Gatekeeper to limit the external IP addresses that can be used by LoadBalancer type Services.