Dec 11, 2020

Cilium Zero Trust Networking Protections Against CVE-2020-8554

Contributed by Jed Salazar, Senior Solutions Architect, and Martynas Pumputis, Software Engineer

You've probably heard about the new Man in the Middle (MITM) vulnerability in Kubernetes. If you're unfamiliar, a MITM vulnerability works by redirecting a victim's legitimate network traffic through a secret attacker on the network, where the attacker can eavesdrop or actively tamper with the victim's data before sending it to its intended destination. There have been several MITM vulnerabilities in Kubernetes, most of which take advantage of the default overly-permissive CAP_NET_RAW permissions in Kubernetes. However this vulnerability is unique in two ways:

  1. MITM attacks generally make use of common types of network vulnerabilities, whereas this vulnerability affects the API layer of Kubernetes itself.
  2. Unlike most vulnerabilities that are assigned a Common Vulnerabilities and Exposures (CVE), there's no patch or hotfix you can deploy to protect your environment.

This vulnerability is also unique in another way: if you're running Cilium without kube-proxy, you aren't vulnerable to it at all. Let's talk about how.

CVE-2020-8554

The vulnerability affects multitenant clusters by an attacker creating a ClusterIP service and updating the ExternalIP field with an IP address they intend to intercept traffic to and eavesdrop on. When running with kube-proxy, protection from this vulnerability requires that you implement a fairly complex set of mitigations such as Open Policy Agent (OPA) Gatekeeper or an admission webhook.

Cilium with kube-proxy

CVE with kube-proxy

At Isovalent (the company that makes Cilium), we've been busy building Zero Trust Networking into Cilium, mitigating common MITM attacks, and providing a safe-by-default network environment for multitenant clusters. To enable this, we've redesigned and replaced kube-proxy, meaning you can remove kube-proxy entirely and use Cilium's replacement instead. When running Cilium with kube-proxy disabled, you are not vulnerable to this CVE and are not forced to implement complex mitigations at the API layer.

Cilium's Zero Trust Approach to Security

How does Cilium prevent this vulnerability? Cilium performs a number of automatic network security mitigations based on Zero Trust Networking concepts. For example we don't translate an ExternalIP address for traffic sourced from pods unless the ExternalIP is associated with a known node. If you're running kube-proxy in parallel with Cilium, you're vulnerable to this attack because iptables will happily route traffic sourced from pods to an arbitrary ExternalIP.

To make sure you're getting built-in protection from MITM and other kinds of network attacks, we recommend running Cilium without kube-proxy.

Cilium without kube-proxy

CVE with kube-proxy-free

Zero Trust Networking, mitigations against common types of MITM attacks, as well as significant performance improvements can be an intriguing reason to move to Cilium's kube-proxy replacement.

If you're interested in learning more about Cilium's built in Zero Trust features, or just want to say hello, reach out to us on Slack.

Popular posts

Tetragon 1.0: Kubernetes Security Observability & Runtime Enforcement with eBPF
Oct 31, 2023

Tetragon 1.0: Kubernetes Security Observability & Runtime Enforcement with eBPF

Cilium Tetragon 1.0 has arrived! marking a significant stride in Kubernetes security and observability, offering low-overhead, eBPF-driven runtime enforcement and monitoring

Technology
External
How DB Schenker Migrated from Calico to Cilium
Sep 07, 2023

How DB Schenker Migrated from Calico to Cilium

Learn how DB Schneker migrated their Kubernetes platform CNI from Calico to Cilium

CommunityTechnology
Unleashing the Power of Cilium CNI to Propel Trendyol’s Performance Up to 40%
Jul 26, 2023

Unleashing the Power of Cilium CNI to Propel Trendyol’s Performance Up to 40%

Explore the reasons why Trendyol chose Cilium and the value they received from it

Community
External