CVE-2021-25735 Overview
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. The Validating Admission Webhook does not observe some previous fields, creating an authorization bypass condition that could compromise cluster security controls.
Critical Impact
Attackers with elevated privileges can bypass node validation controls, potentially allowing unauthorized modifications to node configurations and compromising cluster integrity.
Affected Products
- Kubernetes kube-apiserver
- Kubernetes clusters running Validating Admission Webhooks for Nodes
- Kubernetes deployments where admission decisions depend on old node state
Discovery Timeline
- 2021-09-06 - CVE-2021-25735 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-25735
Vulnerability Analysis
This vulnerability affects the Kubernetes kube-apiserver component, specifically in how it handles node update operations in conjunction with Validating Admission Webhooks. The root issue is an authorization bypass where the admission webhook fails to observe certain previous fields during node update operations.
When a Validating Admission Webhook is configured to make admission decisions based on the old state of a Node object, the webhook may not receive complete information about the previous state. This creates a race condition-like scenario where an attacker can craft node updates that appear legitimate to the webhook but actually bypass intended security controls.
The vulnerability is particularly concerning for organizations that rely on custom admission policies to enforce node configuration compliance, label restrictions, or security taints. An attacker with high privileges could exploit this gap to modify node attributes that should be protected by admission controls.
Root Cause
The vulnerability stems from incomplete field observation in the Validating Admission Webhook mechanism. When processing node updates, the kube-apiserver does not properly expose all relevant previous field values to the admission webhook, preventing the webhook from making fully informed admission decisions. This is classified under CWE-372 (Incomplete Internal State Distinction), indicating improper handling of state information during authorization checks.
Attack Vector
The attack requires network access to the Kubernetes API server and high-level privileges (such as cluster-admin or permissions to update node resources). An attacker would craft a node update request that exploits the blind spots in the admission webhook's visibility into the old node state. The webhook, unable to see the full context of the change, may approve modifications that should be denied based on the organization's security policies.
The attack could be used to:
- Remove security-relevant labels or taints from nodes
- Modify node configurations that admission policies were designed to protect
- Bypass compliance controls enforced through admission webhooks
Detection Methods for CVE-2021-25735
Indicators of Compromise
- Unexpected modifications to node labels, taints, or annotations that should be protected by admission policies
- Audit log entries showing node update operations that bypassed expected webhook denials
- Discrepancies between intended node configurations and actual cluster state
- Webhook denial logs that don't correlate with actual node update rejections
Detection Strategies
- Review Kubernetes audit logs for node update operations, particularly those from privileged accounts
- Monitor admission webhook logs for unusual patterns or missing denial decisions
- Implement secondary validation checks that compare node state before and after updates
- Deploy SentinelOne Kubernetes Workload Protection to detect anomalous API server activity
Monitoring Recommendations
- Enable detailed audit logging for node resources with RequestReceived and ResponseComplete stages
- Configure alerting for node modifications that don't trigger expected admission webhook responses
- Implement drift detection to identify node configuration changes that violate organizational policies
- Monitor for attempts to modify security-sensitive node attributes such as taints and tolerations
How to Mitigate CVE-2021-25735
Immediate Actions Required
- Upgrade Kubernetes to a patched version as specified in the Kubernetes security announcements
- Review and audit all Validating Admission Webhooks that make decisions based on node state
- Implement additional validation logic that does not rely solely on comparing old and new node states
- Restrict permissions for node update operations to only necessary service accounts
Patch Information
Kubernetes has addressed this vulnerability in subsequent releases. Organizations should consult the GitHub Kubernetes Issue #100096 and the Kubernetes Security Announcement for specific version guidance and patch details. Upgrading to the latest stable release of your Kubernetes minor version is strongly recommended.
Workarounds
- Redesign admission webhooks to make decisions based solely on the new node state rather than comparing old and new states
- Implement out-of-band validation using controllers that periodically reconcile node configurations
- Use additional authorization mechanisms such as OPA Gatekeeper policies that don't rely on old state comparison
- Restrict RBAC permissions for node updates to minimize the attack surface
# Configuration example
# Review node update permissions in your cluster
kubectl auth can-i update nodes --as=system:serviceaccount:default:default
# Audit recent node modifications
kubectl get events --field-selector reason=NodeUpdate -A
# List all validating webhooks affecting nodes
kubectl get validatingwebhookconfigurations -o json | jq '.items[] | select(.webhooks[].rules[].resources[] == "nodes")'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
