Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8562

This report analyzes CVE-2020-8562, an unpatchable Kubernetes vulnerability where the API server proxy performs multiple DNS resolutions allowing an attacker to exploit a TOCTOU/DNS rebinding race and bypass private-IP filters (e.g., reach 127.0.0.1 or cloud metadata services). The write-up includes exploitation prerequisites (ability to create Node objects and use the proxy), a proof-of-concept attack, risk context (especially for managed Kubernetes control planes), and suggested mitigations such as enforcing DNS TTL minimums or using Konnectivity.