Cve-2020-8558 !!hot!! Page

Service endpoints bound to 127.0.0.1 expected only local processes. No mechanism in default kube-proxy prevented a remote pod from or addressing the node IP with loopback-bound ports.

From a pod in the same cluster:

CVE-2020-8558 is a vulnerability in Kubernetes kube-proxy (versions ≤ 1.18.0) that allowed an attacker with access to a node’s pod network to bypass localhost ( 127.0.0.1 ) restrictions. Due to insufficient filtering of --nodeport-addresses and default net.ipv4.conf.all.route_localnet=1 behavior, services bound to the loopback address on a Kubernetes node became reachable from other pods or cluster nodes. This paper describes the technical root cause, exploitation vector, impact, and remediation strategies. cve-2020-8558

Ensure that ports 10249 (metrics) and 10256 (health check) are not accessible from untrusted networks. Service endpoints bound to 127

to block pod-to-node-IP traffic unless required. to block pod-to-node-IP traffic unless required