Report Submission Form
This report uses metrics-server as example, but it should be applicable to any aggregated api server.
When metrics-server is hijacked, either by modifying the container image directly or by running another pods using the same label selector in kube-system namespace, and is returning 30X redirect, the clients calling the metrics api will follow the redirect.
It could be a serious issue in managed Kubernetes offerings such as Azure Kubernetes Service (AKS) where clients from managed components may be redirected to call the internal endpoints.
Note: my coworker, Nicolas Joly, found the issue and reported my team (AKS)
all k8s versions on AKS. I believe itโs the same in other cloud providers.
n/a
go-redirect.yaml
with your endpoint to capture the redirected traffic in kube-system namespace. It uses the same pod label selector as metrics-server doesSample output being logged in the web server capturing redirected traffic:
2022/04/16 00:30:13 src IP: 20.51.80.40:4096
GET / HTTP/1.1
Host: 20.85.59.5
Accept: application/json, */*
Accept-Encoding: gzip
Authorization: Bearer <omitted>
User-Agent: azurepolicyaddon/v0.0.0 (linux/amd64) kubernetes/$Format
GET / HTTP/1.1
Host: 20.85.59.5
Accept: application/vnd.kubernetes.protobuf, */*
Authorization: Bearer <omitted>
User-Agent: kube-controller-manager/v1.17.13 (linux/amd64) kubernetes/f4a8e76/system:serviceaccount:kube-system:generic-garbage-collector
2022/04/16 00:34:37 src IP: 20.69.190.88:21504
GET / HTTP/1.1
Host: 20.85.59.5
Accept: application/json, */*
Accept-Encoding: gzip
Authorization: Bearer <omitted>
User-Agent: cpmonitor/v0.0.0 (linux/amd64) kubernetes/$Format