kube-bench icon indicating copy to clipboard operation
kube-bench copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Fix recommendation `1.2.3 Ensure that the DenyServiceExternalIPs is set`

Open andypitcher opened this issue 1 year ago • 0 comments

Overview

Impacted versions: all since its implementation in CIS-1.23.

The check 1.2.3 Ensure that the DenyServiceExternalIPs is set since CIS-1.7, and in previous CIS versions 1.23/1.24 (described as 1.2.3 Ensure that the DenyServiceExternalIPs is not set) have some issues, that have been also reported to CIS Workbench, see ticket. Generally speaking, the use of DenyServiceExternalIPs is to prevent the use of ExternalIP parameter in a Kubernetes service, to prevent the exposition of a pod for example, either intentionally or by mistake.

An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect. This issue is a design flaw that cannot be mitigated without user-facing changes.

This plugin was created to mitigate CVE-2020-8554: Man in the middle using LoadBalancer or ExternalIPs.

The current problem resides in CIS-1.23 up to CIS-1.8, but below is the list of changes that should take place for each version:

  • [ ] CIS-1.7 to CIS-1.8:

    • PR: #1607
      • Update the test operand from have to has (have operand doesn't seem to exist, and produce by default a WARN even if the plugin is enabled)
      • Update remediation to specify how to use the flag

  • [ ] In CIS-1.23 and CIS-1.24:

    • PR: Pending approval for creation
      • Update the text to Ensure that the --DenyServiceExternalIPs is set
      • Update the tests and remediations based on CIS-1.7/CIS-1.8

Expected behaviour to comply with 1.2.3:

  • When DenyServiceExternalIPs enabled (--enable-admission-plugins=DenyServiceExternalIPs), and a service is created with externalIPs, the kube-apiserver will return the following error:

Error from server (Forbidden): error when creating "my_service.yaml": services "my-service" is forbidden: Use of external IPs is denied by admission control

  • When DenyServiceExternalIPs enabled (--enable-admission-plugins=DenyServiceExternalIPs), and a service is patched (such as the Kubernetes service) with externalIPs , the kube-apiserver will return the following error:

Error from server (Forbidden): error when applying patch: {metadata} for "/tmp/kubernetes_services.yaml": services "kubernetes" is forbidden: Use of external IPs is denied by admission control

andypitcher avatar Apr 30 '24 23:04 andypitcher