Address CVEs Using Red Hat Advanced Cluster Management Governance Policy Framework

Red Hat Advanced Cluster Management for Kubernetes governance policy framework is designed to help improve the security of the managed clusters, including the management of CVEs. There are recent vulnerability concerns within Kubernetes, CVE-2020-8554 Man in the Middle using LoadBalancer or External IPs was recently discovered . This vulnerability affects multitenant clusters and currently there is no single solution for users. The main concern is if a potential attacker already has the privileges to create or edit services and pods, then they may be able to seize traffic from other pods (or nodes) in the cluster. This issue is a design flaw, but it can be mitigated with a potential solution presented in this blog.

The good news is that OpenShift Container Platform 4.x and Red Hat Advanced Cluster Management are not affected by this CVE, but we want to help your managed clusters remain safe from this vulnerability. Developers created a solution by using the Red Hat Advanced Cluster Management policy framework to contribute the Gatekeeper allowed External IP security policy to the open source community (policy-gatekeeper-allowed-external-ips.yaml). The security policy was implemented in order to mitigate the Kubernetes vulnerability, CVE-2020-8554.

By using the Gatekeeper allowed External IP policy, externalIPs are locked to assist in hardening your managed clusters. Using the YAML template provided in the policy-collection repository allows the option to identify which external IPs are allowed for your managed clusters, and in turn can also restrict external IPs as well. To use the policy-gatekeeper-allowed-external-ips.yaml, you must install the Gatekeeper controller in order to use the gatekeeper policy. For more information about installing the Gatekeeper controller see the gatekeeper repository.

To implement the policy, see Managing policies in the Red Hat Advanced Cluster Management documentation for more information. You can also visit the related blog, Contributing and deploying community policies with Red Hat Advanced Cluster Management and GitOps for more details to deploy community policies.

In conclusion, this CVE has been a long standing issue for the Kubernetes project, which was fixed in OpenShift Container Platform 3.11 and addressed in OpenShift Container Platform 4. Fortunately, the open-cluster-management community policy, policy-gatekeeper-allowed-external-ips.yaml can be used to help address the CVE. Check out the open source community, open-cluster-management for other policies that can be applied to enhance the security of your managed clusters, and help you meet your governance, risk, and compliance requirements.