Unpatchable Vulnerabilities of Kubernetes: CVE-2021-25740
Datadog analyzes CVE-2021-25740, an unpatchable Kubernetes design issue where a tenant with permission to modify Endpoint or EndpointSlice objects can repoint a Service to arbitrary IPs instead of its own pods. In multi-tenant clusters that use shared ingress controllers or LoadBalancer services, this lets an attacker redirect traffic for their own hostname or path to victim workloads in other namespaces, bypassing network isolation that would normally block direct access. The root cause is that Service backends are resolved through namespace-scoped EndpointSlice data trusted by shared routing components, so those components can be tricked into forwarding requests across tenant boundaries. The write-up is practically relevant for Kubernetes operators because mitigation is architectural and RBAC-based rather than patch-based: avoid shared ingress/load balancers for hostile tenants, migrate toward Gateway API patterns, and remove user write access to EndpointSlice resources.