---

ASA-202106-29 - log back

ASA-202106-29 edited at 11 Jun 2021 16:00:49

Workaround

- To mitigate this vulnerability without upgrading kube-apiserver, you can create a validating admission webhook that prevents EndpointSlices with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges. If you have an existing admission policy mechanism (like OPA Gatekeeper) you can create a policy that enforces this restriction. + To mitigate this vulnerability without upgrading kube-apiserver, you + can create a validating admission webhook that prevents EndpointSlices + with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges. + If you have an existing admission policy mechanism (like OPA + Gatekeeper) you can create a policy that enforces this restriction.

ASA-202106-29 edited at 09 Jun 2021 08:54:21
Impact	- A user could redirect pod traffic to private networks on a Node. + A user could redirect pod traffic to private networks on a node.

ASA-202106-29 edited at 09 Jun 2021 08:49:07
Workaround	+ To mitigate this vulnerability without upgrading kube-apiserver, you can create a validating admission webhook that prevents EndpointSlices with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges. If you have an existing admission policy mechanism (like OPA Gatekeeper) you can create a policy that enforces this restriction.
Impact	+ A user could redirect pod traffic to private networks on a Node.

ASA-202106-29 created at 09 Jun 2021 08:48:30