Block Services with external IPs
This document explains a way to control how Services with externalIP address(es) are managed within your cluster.
This task page explains how to block use of .spec.externalIPs in your cluster.
The .spec.externalIPs field allows Services to be exposed
using directly specified external IP addresses, but it can enable traffic interception attacks, as documented in CVE-2020-8554.
Enabling this admission controller disables the ability for users to specify external IP addresses for Services across the entire cluster.
See CVE-2020-8554 for more details.
Any user who can create a Service with external IPs can:
- intercept other users' outbound traffic to arbitrary cluster-external IPs.
- (non-deterministically) steal other users' inbound traffic to their own external IPs.
If you still rely on externalIPs in your cluster, this document describes mechanisms that cluster administrators can use to disable the feature entirely or enforce policies that restrict how and by whom it can be used.
Before you begin
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
If you want to prevent the use of externalIPs entirely, you can enable the DenyServiceExternalIPs admission controller.
Enable the admission controller using the --enable-admission-plugins flag:
kube-apiserver --enable-admission-plugins=DenyServiceExternalIPs
Once you have made this edit, restart each API server in turn.
Add DenyServiceExternalIPs to the enable-admission-plugins list in the kube-apiserver configuration:
apiServer:
extraArgs:
enable-admission-plugins: DenyServiceExternalIPs
Once you have made this edit, restart each API server in turn.