The vulnerability stems from how kube-proxy configures networking on Linux nodes. To allow host processes to access NodePort services via the loopback address, kube-proxy enables a specific kernel setting: net.ipv4.conf.all.route_localnet=1 .
curl -k https://$NODE_IP:10250/metrics
This primarily risks exposing sensitive data, such as API server credentials or application traffic, to the attacker. cve-2020-8558
Ensure that ports 10249 (metrics) and 10256 (health check) are not accessible from untrusted networks. cve-2020-8558
The vulnerability affects a wide range of Kubernetes versions: : Versions prior to v1.18.4 v1.17.x : Versions prior to v1.17.7 v1.1.0 – v1.16.x : Versions prior to v1.16.11 Mitigation and Remediation cve-2020-8558