A vulnerability has been found in Kubernetes kube-apiserver in which an authorized user could redirect pod traffic to private networks on a node (NVD severity of this issue: Low).
By exploiting the vulnerability, attackers can hijack your cluster’s network traffic, potentially leading to sensitive data leaks.
Targeted resources by this rule (types of
Enabled by default? False
Policy as code identifier: ENDPOINTSLICE_CVE2021_25373_INCORRECT_ADDRESSES_VALUE
This rule will fail
If an EndpointSlice is created or modified with
endpoints.addresses in the 127.0.0.0/8 and 169.254.0.0/16 internal ranges.
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent EndpointSlice validation from enabling host network hijack (CVE-2021-25737) [1 occurrence]
💡 Incorrect value\s for key 'addresses' - address is within vulnerable ranges (127.0.0.0/8 and 169.254.0.0/16)
How to fix this failure
Use endpoint addresses that are not in the vulnerable ranges (127.0.0.0/8 and 169.254.0.0/16).