Kubernetes clusters configured to use certain container networking
implementations (CNIs) are susceptible to man-in-the-middle (MitM) attacks, the Kubernetes Product Security Committee has warned.
The vulnerability affects clusters running a “default Kubernetes security context”: i.e. workloads running with CAP_NET_RAW privileges.
There’s no upstream fix till June 17, so users may want to mitigate or take some manual steps to individually update the CNI plugins that are the culprit — these have found their way into upstream kubelet binary releases.
What’s this Kubernetes Bug Do?
The container networking vulnerability can be exploited by sending rogue router advertisements: this lets a malicious container reconfigure the host to redirect its IPv6 traffic to an attacker-controlled container.
(n.b. “Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond.”)
Where’s the Bug?
The bug is not in Kubernetes per se, but in various CNI plugins.
These have been bundled into various upstream binary kubelet (the lowest level component in Kubernetes) releases, including those installed from upstream Kubernetes community repositories hosted at https://packages.cloud.google.com/.