Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8554

This blog describes CVE-2020-8554, an “unpatchable” Kubernetes vulnerability where creating Service objects with ExternalIP entries causes kube-proxy to add iptables rules that can redirect external traffic to attacker-controlled pods. The post walks through how kube-proxy manipulates iptables, shows a PoC Service manifest and resulting iptables chains, and recommends mitigations including DenyServiceExternalIPs admission controller, policy controllers (e.g., Kyverno), GitOps checks, or using Cilium's kube-proxy replacement.