Security Bulletins

Calico Enterprise & Calico OS are vulnerable to pod route hijacking

Return to List
Description Severity Notes

Calico Enterprise & Calico OS are vulnerable to pod route hijacking

Reference: TTA-2022-001

Date published: June 27, 2022 (Updated)

Medium N/A


Customers running Calico Enterprise and Calico OS are vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker is able to set a floating IP annotation to a pod even if the feature is not enabled. This allows the attacker to intercept and reroute traffic to their compromised pod.

CVE-2022-28224 has been assigned to this vulnerability.




The validation on using floating IP can be bypassed by annotating the pod directly after pod creation. The routing will be reverted when the annotated pod is destroyed or the annotation is removed. This vulnerability requires the Kubernetes RBAC permission of [“patch”, “pods”], [“patch”, “pods/status”] or [“update”, “pods/status”] to annotate pods.

With sufficient permission, an attacker can set annotation to a target pod using the following command:

kubectl annotate pod/<pod-name>"[\"<target-ip>\"]"

Where <pod-name> is the victim pod the attacker wants to affect and <target-ip> is the attacker controlled destination to forward the traffic to.

Affected Releases

  • Calico Enterprise v3.12 and below
  • Calico OS v3.22 and below

Indicators of Impact/Compromise

Review running pods and identify if floatingIP annotations are present. Floating IP is disabled by default.

To check if floating IP is enabled, refer to the calico-config ConfigMap. In the “cni_network_config” section, within the “feature_control” plugin, review if “floating_ips” is set to “true”.

An example of a ConfigMap with floating IP being enabled:

 cni_network_config: |-
      "name": "k8s-pod-network",
      "cniVersion": "0.3.0",
      "plugins": [
          "type": "calico",
          "log_level": "info",
          "datastore_type": "kubernetes",
          "nodename": "__KUBERNETES_NODE_NAME__",
          "mtu": __CNI_MTU__,
          "ipam": {
              "type": "calico-ipam"
          "policy": {
              "type": "k8s"
          "kubernetes": {
              "kubeconfig": "__KUBECONFIG_FILEPATH__"
          "feature_control": {
              "floating_ips": true
          "type": "portmap",
          "snat": true,
          "capabilities": {"portMappings": true}

If floating IP is disabled, review all running pods to check if an annotation was set with the following command:

kubectl get pods -A -oyaml | grep "floatingIPs"

An truncated example of a pod manifest with the affected annotation:

- apiVersion: v1
  kind: Pod
    annotations: 3902b5aff88e589211fbf017a28a293e58c27cc8bd8b5a4f52c788bd3f004561
    creationTimestamp: "2022-06-13T20:31:21Z"
    generateName: test-app-1-
      app: test-app-1
      controller-revision-hash: 5f65c4857b
      pod-template-generation: "1"
    name: test-pod-7wzxl
    namespace: test-ns

If a floating IP annotation is found, an investigation should be done to determine the impact of the compromise.

Workaround / Remediation

Review Kubernetes RBAC and review access to [“patch”, “pods”], [“patch”, “pods/status”] and [“update”, “pods/status”]

Fixed Software

  • Calico Enterprise
    • V3.13.0 and above
    • v3.12.1
    • v3.11.4
  • Calico OS
    • V3.22.2 and above
    • v3.21.5
    • v.3.20.5


We would like to acknowledge Aloys Augustin from Cisco for reporting this issue. We would also like to acknowledge Yuval Avrahami for the additional analysis.

Return to List