Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CVE-2020-8554

 CVE-2020-8554

Presented at Cloud Computing Linz Meetup on 26.10.2021

4c40671ad67c05689b628ede51902dd4?s=128

Dimitrij Klesev

January 26, 2021
Tweet

Transcript

  1. When the destination is not what you expect to be

    or MITM in Kubernetes (CVE-2020-8554) WhizUs GmbH WhizUs GmbH KCSP & KTP KCSP & KTP 01/2021 01/2021
  2. Kubernetes Service

  3. load balances traffic between individual Pods targets Pods using selectors

    usually ClusterIP s (virtual) iptable rules redirects traffic to Pods WhizUs GmbH WhizUs GmbH KCSP & KTP KCSP & KTP 01/2021 01/2021
  4. kube-proxy running in iptables mode Backend Pod 1 labels: app=MyApp

    port: 9376 Backend Pod 2 labels: app=MyApp port: 9376 Backend Pod 3 labels: app=MyApp port: 9376 Client kube-proxy apiserver clusterIP (iptables) Node ( S e e : h t t p s : / / k u b e r n e t e s . i o / d o c s / c o n c e p t s / s e r v i c e s - n e t w o r k i n g / s e r v i c e / # p r o x y - m o d e - i p t a b l e s ) WhizUs GmbH WhizUs GmbH KCSP & KTP KCSP & KTP 01/2021 01/2021
  5. Just a sample Kubernetes Service object --- apiVersion: v1 kind:

    Service metadata: name: myservice # <- can be resolved with internal DNS, f.e. spec: # myservice.default.svc.cluster.local selector: app: myservice # <- route traffic to Pods with this label ports: - port: 80 # <- virtual port of the Service one connects to targetPort: 80 # <- port of a Pod, can be named, like "http" type: ClusterIP # <- usually set as default ( S e e : h t t p s : / / k u b e r n e t e s . i o / d o c s / c o n c e p t s / s e r v i c e s - n e t w o r k i n g / s e r v i c e / # d e f i n i n g - a - s e r v i c e ) WhizUs GmbH WhizUs GmbH KCSP & KTP KCSP & KTP 01/2021 01/2021
  6. in Kubernetes there are five types of services LoadBalancer NodePort

    ClusterIP headless Service (used for Service Discovery) and the special one: externalIPs ( S e e : h t t p s : / / k u b e r n e t e s . i o / d o c s / c o n c e p t s / s e r v i c e s - n e t w o r k i n g / s e r v i c e / # p u b l i s h i n g - s e r v i c e s - s e r v i c e - t y p e s ) WhizUs GmbH WhizUs GmbH KCSP & KTP KCSP & KTP 01/2021 01/2021
  7. If there are external IPs that route to one or

    more cluster nodes, Kubernetes Services can be exposed on those externalIPs. Traffic that ingresses into the cluster with the external IP (as destination IP), on the Service port, will be routed to one of the Service endpoints. externalIPs are not managed by Kubernetes and are the responsibility of the cluster administrator. ( S e e : h t t p s : / / k u b e r n e t e s . i o / d o c s / c o n c e p t s / s e r v i c e s - n e t w o r k i n g / s e r v i c e / # e x t e r n a l - i p s ) WhizUs GmbH WhizUs GmbH KCSP & KTP KCSP & KTP 01/2021 01/2021
  8. Where do we need that?

  9. when you need to route the traffic to the nodes

    without a load-balancer (f.e. dev setups, bare metal, a.s.o.) well, if you have some external IPs and special routing configuration IP failover maybe some more :) WhizUs GmbH WhizUs GmbH KCSP & KTP KCSP & KTP 01/2021 01/2021
  10. DEMO

  11. CVE-2020-8554

  12. what happens if we add some IP address from an

    external service as externalIPs to our cluster? --> yes, traffic will be routet to that service! what is the impact? well, you can do some fancy MITM :) WhizUs GmbH WhizUs GmbH KCSP & KTP KCSP & KTP 01/2021 01/2021
  13. How to fix?

  14. check if externalIPs specified in the service object and reject

    it if you still need it, add exceptions to your rule :) you can use the Validation Webhook from kubernetes-sigs or use eBPF based CNIs (cilium) WhizUs GmbH WhizUs GmbH KCSP & KTP KCSP & KTP 01/2021 01/2021
  15. DEMO

  16. Thank You

  17. References https://github.com/kubernetes/kubernetes/issues/97076 https://kubernetes.io/docs/concepts/services-networking/service https://medium.com/swlh/kubernetes-external-ip-service-type-5e5e9ad62fcd https://serenafeng.github.io/2020/03/26/kube-proxy-in-iptables-mode/ https://kubernetes.io/docs/reference/access-authn-authz/admission- controllers/ https://cilium.io/ https://github.com/kubernetes-sigs/externalip-webhook (

    C r e a t e d u s i n g h t t p s : / / m a r p i t . m a r p . a p p / ) WhizUs GmbH WhizUs GmbH KCSP & KTP KCSP & KTP 01/2021 01/2021