Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix recommendation 1.2.3 Ensure that the DenyServiceExternalIPs is set #1606

Open
2 tasks
andypitcher opened this issue Apr 30, 2024 · 0 comments
Open
2 tasks

Fix recommendation 1.2.3 Ensure that the DenyServiceExternalIPs is set #1606

andypitcher opened this issue Apr 30, 2024 · 0 comments

Comments

@andypitcher
Copy link
Contributor

andypitcher commented Apr 30, 2024
edited

Overview

Impacted versions: all since its implementation in CIS-1.23.

The check 1.2.3 Ensure that the DenyServiceExternalIPs is set since CIS-1.7, and in previous CIS versions 1.23/1.24 (described as 1.2.3 Ensure that the DenyServiceExternalIPs is not set) have some issues, that have been also reported to CIS Workbench, see ticket.
Generally speaking, the use of DenyServiceExternalIPs is to prevent the use of ExternalIP parameter in a Kubernetes service, to prevent the exposition of a pod for example, either intentionally or by mistake.

An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
This issue is a design flaw that cannot be mitigated without user-facing changes.

This plugin was created to mitigate CVE-2020-8554: Man in the middle using LoadBalancer or ExternalIPs.

The current problem resides in CIS-1.23 up to CIS-1.8, but below is the list of changes that should take place for each version:

  • CIS-1.7 to CIS-1.8:

  • In CIS-1.23 and CIS-1.24:

    • PR: Pending approval for creation
      • Update the text to Ensure that the --DenyServiceExternalIPs is set
      • Update the tests and remediations based on CIS-1.7/CIS-1.8

Expected behaviour to comply with 1.2.3:

  • When DenyServiceExternalIPs enabled (--enable-admission-plugins=DenyServiceExternalIPs), and a service is created with externalIPs, the kube-apiserver will return the following error:

Error from server (Forbidden): error when creating "my_service.yaml": services "my-service" is forbidden: Use of external IPs is denied by admission control

  • When DenyServiceExternalIPs enabled (--enable-admission-plugins=DenyServiceExternalIPs), and a service is patched (such as the Kubernetes service) with externalIPs , the kube-apiserver will return the following error:

Error from server (Forbidden): error when applying patch: {metadata} for "/tmp/kubernetes_services.yaml": services "kubernetes" is forbidden: Use of external IPs is denied by admission control
@andypitcher andypitcher changed the title Fix recommendation1.2.3 Ensure that the DenyServiceExternalIPs is set Fix recommendation 1.2.3 Ensure that the DenyServiceExternalIPs is set Apr 30, 2024
@andypitcher andypitcher mentioned this issue Apr 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andypitcher