☑️ Prevent EndpointSlice validation from enabling host network hijack (CVE-2021-25737)

A vulnerability has been found in Kubernetes kube-apiserver in which an authorized user could redirect pod traffic to private networks on a node (NVD severity of this issue: Low).

By exploiting the vulnerability, attackers can hijack your cluster’s network traffic, potentially leading to sensitive data leaks.

Targeted resources by this rule (types of kind): EndpointSlice

Enabled by default? False

Policy as code identifier: ENDPOINTSLICE_CVE2021_25373_INCORRECT_ADDRESSES_VALUE

This rule will fail

If an EndpointSlice is created or modified with endpoints.addresses in the 127.0.0.0/8 and 169.254.0.0/16 internal ranges.

YAML

Rule output in the CLI

Terminal

How to fix this failure

Use endpoint addresses that are not in the vulnerable ranges (127.0.0.0/8 and 169.254.0.0/16).

YAML

Read more