☑️ Prevent EndpointSlice validation from enabling host network hijack (CVE-2021-25737)

A vulnerability has been found in Kubernetes kube-apiserver in which an authorized user could redirect pod traffic to private networks on a node (NVD severity of this issue: Low).

By exploiting the vulnerability, attackers can hijack your cluster’s network traffic, potentially leading to sensitive data leaks.

Targeted resources by this rule (types of kind): EndpointSlice

Enabled by default? False

Policy as code identifier: ENDPOINTSLICE_CVE2021_25373_INCORRECT_ADDRESSES_VALUE

This rule will fail

If an EndpointSlice is created or modified with endpoints.addresses in the and internal ranges.


Rule output in the CLI


How to fix this failure

Use endpoint addresses that are not in the vulnerable ranges ( and


Read more