Kube-hunter hunts for security weaknesses in Kubernetes clusters
View the Project on GitHub aquasecurity/kube-hunter
Lookup Vulnerability
KHV003 - Azure Metadata Exposure
Issue description
Microsoft Azure provides an internal HTTP endpoint that exposes information from the cloud platform to workloads running in a VM. The endpoint is accessible to every workload running in the VM. An attacker that is able to execute a pod in the cluster may be able to query the metadata service and discover additional information about the environment.
Remediation
Starting in the 2020.10.15 Azure VHD Release, AKS restricts the pod CIDR access to that internal HTTP endpoint.