Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy to restrict External IPs in Services [CVE-2020-8554] #159

Closed
bsctl opened this issue Dec 9, 2020 · 1 comment · Fixed by #161
Closed

Policy to restrict External IPs in Services [CVE-2020-8554] #159

bsctl opened this issue Dec 9, 2020 · 1 comment · Fixed by #161
Assignees
@prometherion
Labels
enhancement New feature or request good first issue Good for newcomers high-priority Feature Request with high-priority v0.0.4

Comments

@bsctl
Copy link
Member

bsctl commented Dec 9, 2020

Describe the feature

We need to add a policy to restrict External IPs in services in order to mitigate CVE-2020-8554. Ref. here and here

What would the new user story look like?

  1. CVE-2020-8554 affects multi-tenancy environments
  2. The cluster admin creates a tenant specifying the allowed External IP CIDRs
apiVersion: capsule.clastix.io/v1alpha1
kind: Tenant
metadata:
  name: oil
spec:
  owner:
    kind: User
    name: alice
  externalServiceIPs:
     allowed:
     - 10.0.0.0/8
     - 192.168.0.0/16
  1. This is going to be attached to the Tenant
  2. The tenant owner creates a Service by specifying the External IPs: only listed IPs are allowed
  3. If externalServiceIPs is not specified, then no External IPs in Services are allowed

Expected behavior

The cluster admin can mitigate CVE-2020-8554
@bsctl bsctl added enhancement New feature or request good first issue Good for newcomers high-priority Feature Request with high-priority labels Dec 9, 2020
@bsctl
Copy link
Member Author

bsctl commented Dec 9, 2020

No mitigations are provided for LoadBalancer IPs since it is not recommend granting users patch service/status permission. If LoadBalancer IP restrictions are required, the approach for the external IP mitigations can be copied.

@prometherion prometherion mentioned this issue Dec 10, 2020
Merged
@prometherion prometherion mentioned this issue Feb 17, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@prometherion prometherion

Labels
enhancement New feature or request good first issue Good for newcomers high-priority Feature Request with high-priority v0.0.4
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enforcing Service external IPs projectcapsule/capsule
2 participants
@bsctl @prometherion