Unpatchable Vulnerabilities of Kubernetes: CVE-2021-25740

This post examines CVE-2021-25740, an "unpatchable" Kubernetes vulnerability that allows an attacker with permission to edit Endpoint/EndpointSlice objects to redirect shared ingress or LoadBalancer traffic to other tenants' pods, potentially bypassing network policies; the article explains how Services and EndpointSlices work, demonstrates the attack scenario in multi-tenant clusters, and recommends mitigations such as removing EndpointSlice edit privileges, avoiding shared load balancers/ingress, or migrating to the Gateway API and notes a proof-of-concept is available.