Cve-2020-8558 -

[ Attacker Pod (10.44.2.7) ] | | TCP SYN -> dest: Node IP (10.44.0.1), port: 10255 v [ Node Kernel ] - route_localnet=1 - Node IP is local address - Kernel forwards packet to 127.0.0.1:10255 v [ Kubelet (listening 127.0.0.1:10255) ] | v [ Attacker reads node metrics, pod list, secrets? ]

The vulnerability stems from how kube-proxy configures networking on Linux nodes. To allow host processes to access NodePort services via the loopback address, kube-proxy enables a specific kernel setting: net.ipv4.conf.all.route_localnet=1 . cve-2020-8558

curl -k https://$NODE_IP:10250/metrics

From a pod in the same cluster: