Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-8554 PoC — Kubernetes man in the middle using LoadBalancer or ExternalIPs

Source
https://github.com/alebedev87/gatekeeper-cve-2020-8554
Associated Vulnerability
Title:Kubernetes man in the middle using LoadBalancer or ExternalIPs (CVE-2020-8554)
Description:Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
Readme
# Gatekeeper constraint for CVE-2020-8554

## Install OPA client
Follow [the instructions](https://www.openpolicyagent.org/docs/latest/#1-download-opa).

## Run unit tests
```bash
$ opa test --ignore=*.yaml ./policies
# verbose output
$ opa test -v --explain=full --format=pretty --ignore=*.yaml ./policies
```
File Snapshot

 [4.0K]  /data/pocs/4b431dac579961c48ce05db1683e1552bcfda0aa
├── [4.0K]  policies
│   └── [4.0K]  externalips
│       ├── [ 511]  k8sexternalips.rego
│       ├── [1.2K]  k8sexternalips_test.rego
│       ├── [5.8K]  k8sexternalips_utils_test.rego
│       ├── [ 594]  k8sexternalips.yaml
│       └── [4.0K]  resources
│           └── [ 197]  service-must-not-have-external-ips.yaml
└── [ 311]  README.md

3 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →