Skip to main content

☑️ Prevent EndpointSlice validation from enabling host network hijack (CVE-2021-25737)

A vulnerability has been found in Kubernetes kube-apiserver in which an authorized user could redirect pod traffic to private networks on a node (NVD severity of this issue: Low).

By exploiting the vulnerability, attackers can hijack your cluster’s network traffic, potentially leading to sensitive data leaks.

Targeted objects by this rule (types of kind): EndpointSlice

Complexity: hard (What does this mean?)

Policy as code identifier: ENDPOINTSLICE_CVE2021_25373_INCORRECT_ADDRESSES_VALUE


This rule will fail

If an EndpointSlice is created or modified with endpoints.addresses in the 127.0.0.0/8 and 169.254.0.0/16 internal ranges.

kind: EndpointSlice
endpoints:
- addresses:
- "169.254.23.4"

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent EndpointSlice validation from enabling host network hijack (CVE-2021-25737) [1 occurrence]
💡 Incorrect value\s for key 'addresses' - address is within vulnerable ranges (127.0.0.0/8 and 169.254.0.0/16)

How to fix this failure

Use endpoint addresses that are not in the vulnerable ranges (127.0.0.0/8 and 169.254.0.0/16).

kind: EndpointSlice
endpoints:
- addresses:
- "172.23.47.4"

Read more