New policy request: Blocking services with externalIP and/or externalName defined

[bgeesaman]

Refer to: https://github.com/kubernetes/kubernetes/issues/97076

This issue affects multitenant clusters. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster.

An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
This issue is a design flaw that cannot be mitigated without user-facing changes.

There is a bespoke webhook the SIG created for stopping this: https://github.com/kubernetes-sigs/externalip-webhook

As a bonus, this is likely a very high confidence item to block:

ExternalIP services are not widely used, so we recommend manually auditing any external IP usage. Users should not patch service status, so audit events for patch service status requests authenticated to a user may be suspicious.