CVE-2020-8561 is a vulnerability in the Kubernetes API server (kube-apiserver) that allows an attacker to redirect webhook traffic, potentially enabling server-side request forgery (SSRF) against internal network resources. By manipulating admission webhook configurations, a malicious actor could cause the API server to make requests to arbitrary internal endpoints, bypassing network controls. This affects Azure Kubernetes Service (AKS) and any Kubernetes environment where untrusted users can modify webhook configurations.

Architect’s Take: Review and restrict who has permission to create or modify ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects in your Kubernetes clusters — limit this to highly trusted administrators only. Audit existing webhook configurations for unexpected or suspicious target URLs, and consider network policies that restrict where the kube-apiserver can make outbound connections.

Original advisory: CVE-2020-8561 Webhook redirect in kube-apiserver