Contributed by Jed Salazar, Senior Solutions Architect, and Martynas Pumputis, Software Engineer
You’ve probably heard about the new Man in the Middle (MITM) vulnerability in Kubernetes. If you’re unfamiliar, a MITM vulnerability works by redirecting a victim’s legitimate network traffic through a secret attacker on the network, where the attacker can eavesdrop or actively tamper with the victim’s data before sending it to its intended destination. There have been several MITM vulnerabilities in Kubernetes, most of which take advantage of the default overly-permissive
CAP_NET_RAW permissions in Kubernetes. However this vulnerability is unique in two ways:
- MITM attacks generally make use of common types of network vulnerabilities, whereas this vulnerability affects the API layer of Kubernetes itself.
- Unlike most vulnerabilities that are assigned a Common Vulnerabilities and Exposures (CVE), there’s no patch or hotfix you can deploy to protect your environment.
This vulnerability is also unique in another way: if you’re running Cilium without
kube-proxy, you aren’t vulnerable to it at all. Let’s talk about how.
The vulnerability affects multitenant clusters by an attacker creating a ClusterIP service and updating the ExternalIP field with an IP address they intend to intercept traffic to and eavesdrop on. When running with kube-proxy, protection from this vulnerability requires that you implement a fairly complex set of mitigations such as Open Policy Agent (OPA) Gatekeeper or an admission webhook.
At Isovalent (the company that makes Cilium), we’ve been busy building Zero Trust Networking into Cilium, mitigating common MITM attacks, and providing a safe-by-default network environment for multitenant clusters. To enable this, we’ve redesigned and replaced
kube-proxy, meaning you can remove
kube-proxy entirely and use Cilium’s replacement instead. When running Cilium with kube-proxy disabled, you are not vulnerable to this CVE and are not forced to implement complex mitigations at the API layer.
How does Cilium prevent this vulnerability? Cilium performs a number of automatic network security mitigations based on Zero Trust Networking concepts. For example we don’t translate an ExternalIP address for traffic sourced from pods unless the ExternalIP is associated with a known node. If you’re running
kube-proxy in parallel with Cilium, you’re vulnerable to this attack because iptables will happily route traffic sourced from pods to an arbitrary ExternalIP.
To make sure you’re getting built-in protection from MITM and other kinds of network attacks, we recommend running Cilium without
Zero Trust Networking, mitigations against common types of MITM attacks, as well as significant performance improvements can be an intriguing reason to move to Cilium’s
If you’re interested in learning more about Cilium’s built in Zero Trust features, or just want to say hello, reach out to us on Slack.