☑️ Prevent EndpointSlice validation from enabling host network hijack (CVE-2021-25737)
A vulnerability has been found in Kubernetes kube-apiserver in which an authorized user could redirect pod traffic to private networks on a node (NVD severity of this issue: Low).
By exploiting the vulnerability, attackers can hijack your cluster’s network traffic, potentially leading to sensitive data leaks.
Targeted objects by this rule (types of kind): EndpointSlice
Complexity: hard (What does this mean?)
Policy as code identifier: ENDPOINTSLICE_CVE2021_25373_INCORRECT_ADDRESSES_VALUE
This rule will fail
If an EndpointSlice is created or modified with endpoints.addresses in the 127.0.0.0/8 and 169.254.0.0/16 internal ranges.
kind: EndpointSlice
endpoints:
- addresses:
- "169.254.23.4"
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent EndpointSlice validation from enabling host network hijack (CVE-2021-25737) [1 occurrence]
💡 Incorrect value\s for key 'addresses' - address is within vulnerable ranges (127.0.0.0/8 and 169.254.0.0/16)
How to fix this failure
Use endpoint addresses that are not in the vulnerable ranges (127.0.0.0/8 and 169.254.0.0/16).
kind: EndpointSlice
endpoints:
- addresses:
- "172.23.47.4"