A new medium severity CVE has been discovered (CVE-2020-8554) affecting multitenant Kubernetes clusters. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster. The announcement about the CVE explained:
“An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
This issue is a design flaw that cannot be mitigated without user-facing changes.”
As with any CVE, the first step is to identify if you are impacted. To help Kubernetes users, we have created instructions for identifying CVE-2020-8554 using our configuration validation software, Fairwinds Insights (free to use for 30 days), and OPA. Following these instructions, you do not need to have used OPA previously. In addition, by using the Insights Admission Controller, you can actually prevent this CVE from being introduced into new deployments.
Fairwinds Insights is a policy-driven platform that enforces custom policies - like identifying a CVE in your clusters - automating deployment guardrails and security best practices through Open Policy Agent (OPA) integrations at the CI/CD stage, or as an admission controller.
If you are new to Fairwinds Insights, you’ll need to sign up and install the agent - follow the getting started guide.
Follow the Insights CLI installation instructions.
If on a mac, run
brew install FairwindsOps/tap/insights
If not on a Mac, or don’t have HomeBrew, download the binary from the Releases page and add it to your path
Download the insights-plugins repository. Inside that repository in the path
plugins/opa/examples you will find all of the templated OPA policies for use with Fairwinds Insights. Copy
plugins/opa/examples/lb-vuln-cve-2020-8554to your local directory.
Check out the Fairwinds Insights documentation to learn more about OPA policies.
Login to Fairwinds Insights, select your organization, then click on Settings in the menu bar. Scroll down to the Authentication Tokens section and click the
Show Tokens button. Copy the token with a title of
admin and open a command prompt and paste in:
export FAIRWINDS_TOKEN= <token you copied>
From within the directory where you copied with the policy, run the following command:
insights policy sync --organization <Insights org name>
Log into insights.fairwinds.com and navigate to the cluster you’d like to check. From there, follow these steps:
Add the Open Policy Agent (OPA) report
You will see a “ready to reinstall” link in the upper-right of the screen appear. Click this link to get a helm command you can use to reinstall the Fairwinds Insights Agent.
After about a minute you should see any affected resources listed in the Action Items table in Fairwinds Insights.
With Fairwinds Insights, you'll be able to identify and prevent CVE-2020-8554 from being a problem for your team.