Man-in-the-Middle (MitM) Affecting k8s.io/kubernetes Open this link in a new tab package, versions <1.21.0-alpha.1
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
8 Dec 2020
7 Dec 2020
Etienne Champetier of Anevia
How to fix?
k8s.io/kubernetes to version 1.21.0-alpha.1 or higher.
k8s.io/kubernetes is a Production-Grade Container Scheduling and Management.
Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). An attacker that is able to create a ClusterIP service and set the
spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the
status.loadBalancer.ingress.ip to similar effect.
Mitigations have been published:
- To restrict the use of external IPs we are providing an admission webhook container:
k8s.gcr.io/multitenancy/externalip-webhook:v1.0.0. The source code and deployment instructions are published at https://github.com/kubernetes-sigs/externalip-webhook.
- Alternatively, external IPs can be restricted using OPA Gatekeeper. A sample ConstraintTemplate and Constraint can be found here: https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/externalip.