CVE-2020-8558 is a critical vulnerability in Kubernetes that has significant implications for organizations using the platform. By understanding the vulnerability, its impact, and the recommended mitigations, organizations can take proactive steps to protect their Kubernetes clusters and prevent potential attacks.
The vulnerability exists in the kube-proxy , a critical component running on every Kubernetes node that manages network rules (usually iptables or IPVS) to enable Service abstraction.
With this setting active, an attacker on the same local area network (LAN) or a malicious container on the node can send specially crafted packets to the node's MAC address with a destination IP of 127.0.0.1 . cve-2020-8558
GET /metrics HTTP/1.1
The impact of CVE-2020-8558 is significant, as it allows an attacker to: CVE-2020-8558 is a critical vulnerability in Kubernetes that
| Component | Versions Affected | Role | | ------------------ | ----------------- | ---------------------------------------------- | | kube-proxy | ≤ 1.18.0 | iptables/IPVS rule generator | | kubelet (optional) | all if reachable | Exposes metrics, pprof, logs on 127.0.0.1:10248/10250 | | Node OS | Any with route_localnet=1 | Default on many distributions (e.g., GKE, kubeadm) |
Ensure that ports 10249 (metrics) and 10256 (health check) are not accessible from untrusted networks. With this setting active, an attacker on the
: Other local services, such as health checks or metadata APIs, may expose sensitive configuration data or secrets. Affected Versions
Apply Kubernetes Network Policies to restrict traffic to the kube-system namespace where kube-proxy typically resides.
If you cannot immediately upgrade, you can mitigate the risk by restricting access to the kube-proxy ports using network policies or firewall rules.
Service endpoints bound to 127.0.0.1 expected only local processes. No mechanism in default kube-proxy prevented a remote pod from or addressing the node IP with loopback-bound ports.
