Report Submission Form
TL,DR: Time-of-check (apiserver proxy filter) Time-of-use (apiserver proxy request) Race Condition.
When the apiserver is proxying a request to a node though one of its addresses, it performs a filter validation. If the address type is a DNS record (Hostname, ExternalDNS, InternalDNS), the apiserver performs two DNS queries, one for filter validation, another for proxying the request. If the attacker sets the hostname to a custom DNS server, that is able return different values with zero TTL, it is possible to bypass that filter.
1.18.0
go mod init
and go mod tidy
).kubectl proxy
.curl localhost:8001/api/v1/nodes/toctou:80/proxy/
.toctou-cluster.yml
, a KIND cluster manifesttoctou-node.yml
, a Node with a custom address.toctou-dns-server.go
, a custom DNS server that returns different results to consecutive queries.https://github.com/kubernetes/kubernetes/pull/71980 was merged to mitigate dangerous proxying through the apiserver. An attacker with access to create nodes and send requests to them through apiserver proxy, could access cloud metadata endpoints or localhost services. This is specially important on as a service providers like https://github.com/oneinfra/oneinfra but could affect any vendor.