ASA-202106-29 log generated external raw

[ASA-202106-29] kube-apiserver: insufficient validation
Arch Linux Security Advisory ASA-202106-29 ========================================== Severity: Low Date : 2021-06-09 CVE-ID : CVE-2021-25737 Package : kube-apiserver Type : insufficient validation Remote : Yes Link : Summary ======= The package kube-apiserver before version 1.21.1-1 is vulnerable to insufficient validation. Resolution ========== Upgrade to 1.21.1-1. # pacman -Syu "kube-apiserver>=1.21.1-1" The problem has been fixed upstream in version 1.21.1. Workaround ========== To mitigate this vulnerability without upgrading kube-apiserver, you can create a validating admission webhook that prevents EndpointSlices with endpoint addresses in the and ranges. If you have an existing admission policy mechanism (like OPA Gatekeeper) you can create a policy that enforces this restriction. Description =========== A security issue was discovered in kube-apiserver before version 1.21.1 where a user may be able to redirect pod traffic to private networks on a node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs. Impact ====== A user could redirect pod traffic to private networks on a node. References ==========