services / Kubernetes / Services
Services provide a stable network endpoint for one or more pods, allowing them to be accessed by other pods or external clients.
Services control how your Kubernetes Pods are exposed on the Kubernetes network.
core/services.proxy
Allows an attacker to interact with your application as if they were inside the Kubernetes cluster. Creates a proxy server or between localhost and a specified service running on Kubernetes. This service can be a kube-system service started by Kubernetes and retrieved by the `kubectl cluster-info` command or a user-defined Service object. The resulting proxy allows sending payloads to the targeted Service which otherwise would be unreachable. This is different from the `kubectl proxy` command which creates a proxy for the Kubernetes API server - this endpoint acts like a bastion and exposes the user-defined application endpoints of a Service.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security