Kubernetes Network Policy Bypass Vulnerability During Namespace Deletion

A vulnerability exists in Kubernetes that allows a malicious or compromised pod to circumvent network restrictions imposed by network policies during the deletion of a namespace. The deletion order of objects during namespace termination is undefined, which can result in network policies being removed before the pods they protect. This creates a temporary window where the pods can operate and accept network connections without the appropriate policy enforcement.

Impact

Exploitation of this vulnerability can lead to unauthorized network access for pods, allowing them to send or receive traffic without the restrictions that should be enforced by network policies.

Remediation

To mitigate this vulnerability, manually delete pods and workload resources that manage pods before initiating namespace deletion. Alternatively, add finalizers to network policies to ensure they are not deleted until the associated pods have been removed. A proof-of-concept controller to automate this process is available on GitHub.