The upstream Kubernetes community recently discovered a security issue—CVE-2020-8554— affecting multitenant clusters that allows anyone who is able to create a ClusterIP service and set the spec.externalIPs field to intercept traffic to that IP address. There is no patch for this issue yet, and it can currently only be mitigated by restricting access to the vulnerable features.
In this tutorial, we will demonstrate how to use a custom policy in Tanzu Mission Control to quickly enforce a policy across your cluster fleet, prohibiting the creation of service resources that expose workloads to external IP addresses.
Apply custom policies in Tanzu Mission Control
A custom policy template in Tanzu Mission Control is a declarative definition of the policy you want to enforce on your cluster fleet. This declarative definition is written in a syntax called Rego, the underlying language supported by the Open Policy Agent framework. For example, if you want some of your Kubernetes resources to define a label “env: dev”, “env: staging”, or “env : prod”, depending on the environment the resource is being created in, the policy template will define this rule of admission as well as the key and value pairs it expects for successful pod definition.
The custom policy template we are using here to mitigate CVE-2020-8554 will prohibit the addition of spec.externalIPs and spec.loadBalancerIP fields in the service resource while also giving users a way to add only those IP addresses that they’ve deemed to be allowable.
We will now demonstrate, step by step, how to apply this custom policy in Tanzu Mission Control.
First, in Tanzu Mission Control, click the “Assignments” tab in the left navigation, under the “Policies” section, then click the “Custom” tab. You are now ready to assign custom policy to your clusters. For this CVE, you may want to apply the policy to all the clusters in your organization. If so, select your organization under the “Clusters” view (in this tutorial, my organization is “Tanzu Mission Control Demo”) and then click “Create Custom Policy.”
This action will render a list of all the custom policy templates available in your organization. Select the “tmc-external-ips” policy in the dropdown; it will render a user interface asking for a target Kubernetes resource and a restricted list of allowable IP addresses.
Add a policy name of your choice, then in the “Target Resource” section, set the “Kind” value as “Service” and click “Add Resource.” This action adds the Kubernetes service resource to the custom policy. The “Target Resource” section denotes the Kubernetes resources to which this custom policy applies. In this example, we are applying the “tmc-external-ips” policy to Kubernetes service objects. After adding the Target Resource, add the allowed list of IP addresses in the “Allowed IPS” section. Click “Add Allowedips” after adding each IP address.
Once you have added the complete list of allowable external IP addresses, you have all the parameters set for mitigating this CVE. Click the “Create Policy” button to activate this custom policy in Tanzu Mission Control.
Tanzu Mission Control will then enforce this policy on your Kubernetes cluster fleet. Enforcing this policy will prevent users from adding any external IP address to the service resource, which will help organization admins keep their security airtight.
While in this example, we applied the custom policy at the organization level, which includes the entire fleet on Kubernetes clusters, you can also choose to apply it to a cluster group or even an individual cluster. Selected namespaces can also be excluded from this policy, if needed. The policy creation is also supported in dry-run mode; users can see a dashboard of any policy violations. For more information on namespace selectors, dry-run mode, and policy violations, please refer to this blog post.
Create custom policies in Tanzu Mission Control
To tackle this CVE, we used an existing custom policy template that Tanzu Mission Control provides to our customers out of the box. The platform also allows you to create your own custom policies if needed, then enforce them across the clusters leveraging Tanzu Mission Control’s policy engine.
To do this, click “Templates” in the left navigation under the Policy section, then click “Create Template.” This section will also list all the previously created templates, as well as VMware-provided templates.
Once you click “Create Template,” Tanzu Mission Control lets you import a template or directly type the policy in-product. Users can also use the public API endpoint and automate the creation of your templates through a CI/CD pipeline.
Consistent and efficient policy management at scale with Tanzu Mission Control
Tanzu Mission Control provides a powerful policy engine that lets organizations create and enforce guardrails for their teams, ensuring governance and compliance on their Kubernetes clusters.
In addition to providing a variety of policy types through a native user experience, the platform also offers organizations the flexibility to create their own policy templates for needs that may only be relevant to them. This opens up a wide spectrum of use cases for customers that are looking for reliable tooling to enforce a policy across a fleet of Kubernetes clusters, and may also be used to help address Kubernetes CVEs.
Furthermore, because Mission Control supports fleet management out of the box, you only need to enforce custom policy once. Every new cluster that gets added to the Kubernetes fleet automatically inherits the policy. This gives you a single place to create, manage, and streamline all of your policy operations for tens and even hundreds of clusters.
About the AuthorMore Content by Sneha Narang