Kubernetes' nodes/proxy GET call, commonly used by monitoring tools, can be exploited to execute privileged commands and compromise entire clusters without leaving an audit trail. It's a feature, not a bug.

The New Stack is a publication covering trends and technologies in cloud-native development, DevOps, and software delivery. Developers can learn about containerization, Kubernetes, and cloud computing, as well as explore topics such as microservices architecture, serverless computing, and continuous integration/continuous delivery (CI/CD) pipelines.

The New Stack

A security researcher discovered that Kubernetes' nodes/proxy GET call, commonly used by monitoring tools, can be exploited to execute privileged commands and fully compromise clusters without leaving audit trails. The Kubernetes team classified this as intended behavior rather than a bug, with no CVE issued. The vulnerability affects 69 monitoring tools that rely on this permission. Until the fix (KEP-2862) arrives in Kubernetes 1.36, administrators should audit RBAC policies, restrict kubelet port access, and consider workload isolation technologies to mitigate risk.

Kubernetes telemetry feature fully compromises clusters