{"modified":"2020-12-18T17:10:59.06Z","owner":"","name":"Mitigation for Kubernetes CVE-2020-8554 - Load Balancer IPs","previousName":"","effect":"alert","script":"match[{\"msg\": msg}] {\n input.request.operation == \"UPDATE\"\n input.request.kind.kind == \"Service\" \n input.request.subResource == \"status\"\n user := input.request.userInfo.username\n user != \"system:serviceaccount:kube-system:service-controller\"\n newLoadBalancerIPs := {ips | ips := input.request.object.status.loadBalancer.ingress[_].ip} - {oldips | oldips := input.request.oldObject.status.loadBalancer.ingress[_].ip}\n count(newLoadBalancerIPs) > 0\n msg := sprintf(\"User '%v' added Load Balancer IPs '%v' to service '%v'\", [user, newLoadBalancerIPs, input.request.object.metadata.name])\n}","description":"Alert on patch requests to service status by non-system users","skipRawReq":false,"policyType":"admission","exportTime":"12_20_20_05_23_21","exportBy":""}