You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Impacted versions: all since its implementation in CIS-1.23.
The check 1.2.3 Ensure that the DenyServiceExternalIPs is set since CIS-1.7, and in previous CIS versions 1.23/1.24 (described as 1.2.3 Ensure that the DenyServiceExternalIPs is not set) have some issues, that have been also reported to CIS Workbench, see ticket.
Generally speaking, the use of DenyServiceExternalIPs is to prevent the use of ExternalIP parameter in a Kubernetes service, to prevent the exposition of a pod for example, either intentionally or by mistake.
An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
This issue is a design flaw that cannot be mitigated without user-facing changes.
Update the test operand from have to has (have operand doesn't seem to exist, and produce by default a WARN even if the plugin is enabled)
Update remediation to specify how to use the flag
In CIS-1.23 and CIS-1.24:
PR: Pending approval for creation
Update the text to Ensure that the --DenyServiceExternalIPs is set
Update the tests and remediations based on CIS-1.7/CIS-1.8
Expected behaviour to comply with 1.2.3:
When DenyServiceExternalIPs enabled (--enable-admission-plugins=DenyServiceExternalIPs), and a service is created with externalIPs, the kube-apiserver will return the following error:
Error from server (Forbidden): error when creating "my_service.yaml": services "my-service" is forbidden: Use of external IPs is denied by admission control
When DenyServiceExternalIPs enabled (--enable-admission-plugins=DenyServiceExternalIPs), and a service is patched (such as the Kubernetes service) with externalIPs , the kube-apiserver will return the following error:
Error from server (Forbidden): error when applying patch: {metadata} for "/tmp/kubernetes_services.yaml": services "kubernetes" is forbidden: Use of external IPs is denied by admission control
The text was updated successfully, but these errors were encountered:
andypitcher
changed the title
Fix recommendation1.2.3 Ensure that the DenyServiceExternalIPs is set
Fix recommendation 1.2.3 Ensure that the DenyServiceExternalIPs is setApr 30, 2024
Overview
Impacted versions: all since its implementation in CIS-1.23.
The check
1.2.3 Ensure that the DenyServiceExternalIPs is set
since CIS-1.7, and in previous CIS versions 1.23/1.24 (described as1.2.3 Ensure that the DenyServiceExternalIPs is not set
) have some issues, that have been also reported to CIS Workbench, see ticket.Generally speaking, the use of
DenyServiceExternalIPs
is to prevent the use of ExternalIP parameter in a Kubernetes service, to prevent the exposition of a pod for example, either intentionally or by mistake.This plugin was created to mitigate CVE-2020-8554: Man in the middle using LoadBalancer or ExternalIPs.
The current problem resides in CIS-1.23 up to CIS-1.8, but below is the list of changes that should take place for each version:
CIS-1.7 to CIS-1.8:
1.2.3 Ensure that the DenyServiceExternalIPs is set
in CIS-1.7/1.8 #1607have
tohas
(have operand doesn't seem to exist, and produce by default a WARN even if the plugin is enabled)In CIS-1.23 and CIS-1.24:
Ensure that the --DenyServiceExternalIPs is set
Expected behaviour to comply with
1.2.3
:DenyServiceExternalIPs
enabled (--enable-admission-plugins=DenyServiceExternalIPs), and a service is created withexternalIPs
, the kube-apiserver will return the following error:Error from server (Forbidden): error when creating "my_service.yaml": services "my-service" is forbidden: Use of external IPs is denied by admission control
DenyServiceExternalIPs
enabled (--enable-admission-plugins=DenyServiceExternalIPs), and a service is patched (such as the Kubernetes service) withexternalIPs
, the kube-apiserver will return the following error:Error from server (Forbidden): error when applying patch: {metadata} for "/tmp/kubernetes_services.yaml": services "kubernetes" is forbidden: Use of external IPs is denied by admission control
The text was updated successfully, but these errors were encountered: