A security issue was discovered in Kubernetes where an authorized user may be able to redirect traffic to private networks on a Node. An untrusted user could exploit this by creating or modifying EndpointSlices to point to localhost or link-local addresses.
A security issue was discovered in Kubernetes where an authorized user may be able to redirect traffic to private networks on a Node. An untrusted user could exploit this by creating or modifying EndpointSlices to point to localhost or link-local addresses.
OpenShift Container Platform (OCP) 3.11 is not affected by this vulnerability as it does not support EndpointSlices. All current versions of OCP 4 support EndpointSlices and are therefore affected.
* Prevent untrusted users from creating or modifying EndpointSlices
* Creating a validating admission webhook that prevents EndpointSlices with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges