Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8554

Keypoints

• Kubernetes contains four “unpatchable” vulnerabilities related to container networking; CVE-2020-8554 is the first discussed and allows service-based traffic redirection.
• The exploit relies on a hostile cluster user being able to create Service objects that specify externalIPs, enabling redirection of traffic destined for arbitrary external addresses into the cluster.
• Kube-proxy implements service networking by creating iptables (or IPVS/nftables) NAT rules on each node; ExternalIP services create rules that match external IPs and forward them to pods.
• A proof-of-concept Service redirects traffic for 104.16.185.241 and 104.16.184.241 (icanhazip.com) to an echoserver pod, demonstrated via iptables chains and entries.
• Mitigations include blocking ExternalIP services using the DenyServiceExternalIPs admission controller, policy controllers like Kyverno, GitOps lifecycle checks, or using Cilium’s kube-proxy replacement which is not affected.
• Risk prioritization depends on the threat model: if cluster users are few and fully trusted, the vulnerability may be lower priority; otherwise operators should enforce controls to prevent Service creation abuse.