CVE-2020-8558 is a vulnerability in the Kubernetes API server that allows an attacker to make requests to the API server using a compromised service account. The vulnerability exists because the API server does not properly validate the authentication credentials of a service account when handling certain types of requests. This means that if an attacker can create or modify a service account and its corresponding tokens, they can use these credentials to make API requests as if they were made by the service account.
From a pod in the same cluster:
nc -zv <node-ip> 10255
Kubernetes v1.18.3+ adds explicit iptables rules to packets arriving on non-loopback interfaces destined for 127.0.0.0/8 unless specifically allowed.
| Component | Versions Affected | Role | | ------------------ | ----------------- | ---------------------------------------------- | | kube-proxy | ≤ 1.18.0 | iptables/IPVS rule generator | | kubelet (optional) | all if reachable | Exposes metrics, pprof, logs on 127.0.0.1:10248/10250 | | Node OS | Any with route_localnet=1 | Default on many distributions (e.g., GKE, kubeadm) | cve-2020-8558
If you cannot immediately upgrade, you can mitigate the risk by restricting access to the kube-proxy ports using network policies or firewall rules.
Example rule added:
# Connect to node's kubelet read-only port (default localhost-only) nc -v 10.44.0.1 10255