Vulnerability details

The kube-proxy component was found to set the kernel parameter net.ipv4.conf.all.route_localnet=1 in both iptables and ipvs modes to allow local loopback access. An attacker may use the container sharing the host network, or bind and listen to the TCP/UDP service of the local on the cluster node to access the same LAN or adjacent node under the second layer network to obtain interface information. If your service does not set the necessary security certification, it may cause the risk of information leakage.


When an attacker has the capability of configuring host network or can access a container instance with the CAP_NET_RAW capability, he can get the socket service information by listening to on the target node. If there is an exposed service that can be accessed by and does not require any authentication on the target host, then the service information can be obtained by the attacker.

CVSS scores

  • If the cluster API Server opens the non-authenticated port (default 8080), then the attacker may obtain information about the API Server interface, the threat level is high-risk vulnerabilities, and the score is 8.8.
  • If the cluster API Server closes non-authenticated ports by default, the threat level is medium-risk vulnerability, and the score is 5.4.


It is recommended that you take the following preventative measures:

If the business container needs to use the host network mode and listen on a non-secure port, you can mitigate this vulnerability by manually adding the iptables rule on the node.

Run the following command to configure the iptables rule in the cluster to deny non-local access traffic to

iptables -I INPUT --dst ! --src -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP

If the cluster does not need to open the API Server insecure port, you can add --insecure-port=0 to the kubernetes API server command line to disable the port.

If untrusted containers are running in the cluster, you can prohibit Container from enabling the CAP_NET_RAW capability, and disable the Container’s CAP_NET_RAW capability in pod spec.

    - "NET_RAW"

Use PodSecurityPolicy to restrict deployment privileges or shared host network containers. In addition, you can configure requiredDropCapabilities in the policy to force container deployment to close the CAP_NET_RAW capability.

Fixed by official

  • v1.18.4
  • v1.17.7
  • v1.16.11

Fixed by KLTS

Last modified March 8, 2022 : mv en to kuberentes/ (95aa90d4)