1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
From d22a61e21d677f7527bc8a4aeb3288c5e11dd49b Mon Sep 17 00:00:00 2001
From: Casey Callendrello <cdc@redhat.com>
Date: Fri, 29 May 2020 13:03:37 +0200
Subject: [PATCH] kubelet: block non-forwarded packets from crossing the
localhost boundary
We set route_localnet so that host-network processes can connect to
<127.0.0.1:NodePort> and it still works. This, however, is too
permissive.
So, block martians that are not already in conntrack.
See: #90259
Signed-off-by: Casey Callendrello <cdc@redhat.com>
CVE: CVE-2020-8558
Upstream-Status: Backport [https://github.com/kubernetes/kubernetes.git branch:release-1.16]
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
src/import/pkg/kubelet/kubelet_network_linux.go | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/import/pkg/kubelet/kubelet_network_linux.go b/src/import/pkg/kubelet/kubelet_network_linux.go
index 1c9ad46b989..d18ab75a053 100644
--- a/src/import/pkg/kubelet/kubelet_network_linux.go
+++ b/src/import/pkg/kubelet/kubelet_network_linux.go
@@ -68,6 +68,22 @@ func (kl *Kubelet) syncNetworkUtil() {
klog.Errorf("Failed to ensure rule to drop packet marked by %v in %v chain %v: %v", KubeMarkDropChain, utiliptables.TableFilter, KubeFirewallChain, err)
return
}
+
+ // drop all non-local packets to localhost if they're not part of an existing
+ // forwarded connection. See #90259
+ if !kl.iptClient.IsIpv6() { // ipv6 doesn't have this issue
+ if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableFilter, KubeFirewallChain,
+ "-m", "comment", "--comment", "block incoming localnet connections",
+ "--dst", "127.0.0.0/8",
+ "!", "--src", "127.0.0.0/8",
+ "-m", "conntrack",
+ "!", "--ctstate", "RELATED,ESTABLISHED,DNAT",
+ "-j", "DROP"); err != nil {
+ klog.Errorf("Failed to ensure rule to drop invalid localhost packets in %v chain %v: %v", utiliptables.TableFilter, KubeFirewallChain, err)
+ return
+ }
+ }
+
if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableFilter, utiliptables.ChainOutput, "-j", string(KubeFirewallChain)); err != nil {
klog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableFilter, utiliptables.ChainOutput, KubeFirewallChain, err)
return
--
2.17.0
|
