Cve-2020-8558

This vulnerability allows a malicious attacker to intercept certain traffic destined for the Kubernetes cluster nodes. Specifically, if an attacker is on the same local network (LAN) or a compromised pod on the same node, they could potentially intercept traffic intended for the Kubernetes control plane or other services.

Document version 1.0 – Security Research cve-2020-8558

This primarily risks exposing sensitive data, such as API server credentials or application traffic, to the attacker. This vulnerability allows a malicious attacker to intercept

CVE-2020-8558 illustrates a subtle interaction between Kubernetes’ network proxy and Linux kernel routing behavior. Though patched in mid-2020, the vulnerability remains relevant as an example of how container isolation cannot rely solely on localhost binding. Cluster administrators must validate both route_localnet status and kube-proxy version, and adopt network policies to restrict pod-to-node IP traffic. to the attacker.