New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not set sysctlRouteLocalnet (CVE-2020-8558) #92938
Do not set sysctlRouteLocalnet (CVE-2020-8558) #92938
Conversation
pkg/proxy/ipvs/proxier.go
Outdated
@@ -353,7 +353,7 @@ func NewProxier(ipt utiliptables.Interface, | |||
kernelHandler KernelHandler, | |||
) (*Proxier, error) { | |||
// Set the route_localnet sysctl we need for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: update comment with context?
/test pull-kubernetes-e2e-gci-gce-ipvs |
(some failures expected) |
6a75180
to
1713080
Compare
|
/retest |
1 similar comment
/retest |
I don't object to unsetting this in ipvs. I'd like to figure out how to properly fix it in iptables mode too. Reopened #90259 to discuss. I can't locally repro the attack, so looking for other clever ideas |
/test pull-kubernetes-e2e-gci-gce-ipvs |
/retest (some of the test failures are actually expected #92708) |
/test pull-kubernetes-e2e-gci-gce-ipvs |
@thockin if you have root on the (linux) attacker machine, the following should suffice to reproduce:
With more packet gymnastics, it's also possible to reproduce using only CAP_NET_RAW; let me know on Slack or Twitter if you want to see that code before it's released. |
@lbernail I'm sure these things have been discussed, but it's probably good to bring them into the PR for future/public reference... IMO, the right way to conceptualize CVE-2020-8558 is that it makes localhost-bound services unexpectedly available outside the host. Back in RFC1122, they say that 127/8 addresses "MUST NOT appear outside a host" and more recently in 5735 that they "do not legitimately appear on any network anywhere." When A key issue with this fix (and the existing fix from #91569) is that it assumes kube-proxy is the only entity with an interest in setting Forcing the sysctl to zero in IPVS mode gives a great remediation experience for end users who do not need There's the rub: We all have been breathing RFC5735 since we first learned networking. Whatever someone's doing with Adding a knob is painful when your system already has too many knobs, but I think it should be seriously considered. My suggestion, trying to balance all these concerns is as follows:
WDYT? |
@tabbysable Thanks a lot for your input (for transparency, we work together and had this discussion on slack and figured it was worth having in public). A few thoughts:
The flag approach is probably the best as it would allow for simple patching and users could disable it if needed. This is very similar to what we did with @andrewsykim We also discussed this on slack but we should probably discuss it here again. What do you think? (also do you know why the test is failing?) |
/retest (fixed failing test in kubernetes/test-infra#18339) |
I agree with @tabbysable that a flag to toggle At this point though, even if we add a flag to skip setting |
Side note around sysctl flags: maybe it's time we consider a |
@andrewsykim Yes, I agree that the kubelet patch from #91569 should be taken out for the same reasons. It would be ideal if that and this could both happen together before 1.19 so that the behavior of 1.19 could be "CVE-2020-8558 is fixed in kube-proxy and can be switched on and off." How to handle the kubelet patch in maintenance branches where it has already been released is another difficult question. :-( A "don't touch my sysctls" flag sounds like a good, sustainable solution compared to separate ones per sysctl. The docs update is a very important part, so that users can make an informed decision. |
@thockin any thoughts on the above? |
Signed-off-by: Laurent Bernaille <laurent.bernaille@datadoghq.com>
225dd6a
to
1543914
Compare
As discussed with @andrewsykim and @tabbysable : let's not set the sysctl (because we don't need it in IPVS mode). Deploying kube-proxy won't fix the CVE but at least it will not introduce it on new nodes (note that if the version of the kubelet in recent enough, the CVE is mitigated) |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lbernail The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
LGTM but release notes need an update |
Is the description clear enough? I could make it longer but release notes tend to be very short |
I think this one probably warrants a longer one with an "ACTION REQUIRED" in it, maybe something like:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/retest Review the full test history for this PR. Silence the bot with an |
What type of PR is this?
/kind bug
/sig network
/area ipvs
What this PR does / why we need it:
Don't set sysctlRouteLocalnet when running in IPVS mode to avoid CVE-2020-8558
Accessing a Nodeport from the host network using localhost:Nodeport never worked in IPVS (see #67730)
Which issue(s) this PR fixes:
Fixes #92315 (for IPVS mode)
Does this PR introduce a user-facing change?: