Cve-2020-8558 🎯 Quick

If connection succeeds → vulnerable.

Service endpoints bound to 127.0.0.1 expected only local processes. No mechanism in default kube-proxy prevented a remote pod from or addressing the node IP with loopback-bound ports. cve-2020-8558

In standard Linux networking, packets with a destination in the 127.0.0.0/8 range arriving from outside the host are considered "martian packets" and are discarded by the kernel. However, by setting route_localnet=1 , the kernel is instructed to treat these as martians, effectively allowing it to route external traffic to the localhost interface. Vulnerability Impact If connection succeeds → vulnerable

with authentication (e.g., kubelet --anonymous-auth=false ). by setting route_localnet=1

net.ipv4.conf.all.route_localnet=1