“Setting the host default to reject router adverts should really avoid assaults from succeeding but may well break genuine traffic”
Kubernetes clusters configured to use certain container networking
implementations (CNIs) are inclined to gentleman-in-the-middle (MitM) assaults, the Kubernetes Merchandise Stability Committee has warned.
The vulnerability has an effect on clusters running a “default Kubernetes security context”: i.e. workloads running with CAP_Internet_Uncooked privileges.
There’s no upstream fix until June seventeen, so end users may well want to mitigate or acquire some guide steps to separately update the CNI plugins that are the offender — these have discovered their way into upstream kubelet binary releases.
What is this Kubernetes Bug Do?
The container networking vulnerability can be exploited by sending rogue router adverts: this allows a destructive container reconfigure the host to redirect its IPv6 targeted visitors to an attacker-managed container.
(n.b. “Even if there was no IPv6