Skip to content

Fine grained Kubelet API authorization #83465

New issue
Jump to bottom
New issue
Jump to bottom
Closed
Closed
Fine grained Kubelet API authorization#83465
Labels
area/kubelet-apikind/featureCategorizes issue or PR as related to a new feature.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.sig/authCategorizes an issue or PR as relevant to SIG Auth.sig/nodeCategorizes an issue or PR as relevant to SIG Node.
@tallclair

Description

@tallclair
tallclair
opened on Oct 3, 2019

Summary
The node API authorization is too coarse. We need finer grained authorization of different request types, and maybe resources acted on.

Background

The Kubelet API on the authenticated (10250) port currently uses a very coarse-grained scheme for authorizing requests. For example, reading /healthz and calling /exec/... (i.e. execute arbitrary code) require the same proxy subresource. The SubjectAccessReviews are currently populated with:

  • Requisting user (generally from a TokenReviewRequest or client certificate authentication)
  • Request verb
  • A resource request with:
    • APIGroup: ""
    • APIVersion: "v1"
    • Resource: "nodes"
    • Name: nodeName (the name of the node the request was against)
    • Subresource: one of: proxy, log, metrics, spec, stats

The full mapping of request paths to subresources can be found here:

kubernetes/pkg/kubelet/server/auth_test.go

Lines 110 to 143 in 14344b5

testPaths := map[string]string{
"/attach/{podNamespace}/{podID}/{containerName}": "proxy",
"/attach/{podNamespace}/{podID}/{uid}/{containerName}": "proxy",
"/configz": "proxy",
"/containerLogs/{podNamespace}/{podID}/{containerName}": "proxy",
"/cri/": "proxy",
"/cri/foo": "proxy",
"/debug/flags/v": "proxy",
"/debug/pprof/{subpath:*}": "proxy",
"/exec/{podNamespace}/{podID}/{containerName}": "proxy",
"/exec/{podNamespace}/{podID}/{uid}/{containerName}": "proxy",
"/healthz": "proxy",
"/healthz/log": "proxy",
"/healthz/ping": "proxy",
"/healthz/syncloop": "proxy",
"/logs/": "log",
"/logs/{logpath:*}": "log",
"/metrics": "metrics",
"/metrics/cadvisor": "metrics",
"/metrics/probes": "metrics",
"/metrics/resource/v1alpha1": "metrics",
"/pods/": "proxy",
"/portForward/{podNamespace}/{podID}": "proxy",
"/portForward/{podNamespace}/{podID}/{uid}": "proxy",
"/run/{podNamespace}/{podID}/{containerName}": "proxy",
"/run/{podNamespace}/{podID}/{uid}/{containerName}": "proxy",
"/runningpods/": "proxy",
"/spec/": "spec",
"/stats/": "stats",
"/stats/container": "stats",
"/stats/summary": "stats",
"/stats/{namespace}/{podName}/{uid}/{containerName}": "stats",
"/stats/{podName}/{containerName}": "stats",
}

Fixing this issue is a prerequisite to removing the Kubelet's unauthenticated API: #12968

Although this issue is specific to the Kubelet API, other components that use delegated authorization for a subdivided API will face the same problems.

Desired State

In an ideal world, authorization would happen against the following criteria:

  1. Requester has permission to use the node API for this Kubelet.
  2. If it's a resource request with a Kubernetes API analog, the requester is authorized to make the request through the regular API
    • E.g. /exec/podNamespace/podID/containerName maps to: 
      apiGroup: "core"
apiVersion: "v1"
resource: "pods"
namespace: podNamespace
name: podName
subresource: "exec"
    • E.g. /pods/ maps to: 
      apiGroup: "core"
apiVersion: "v1"
resource: "pods"
verb: "list"
  3. If it's a non-resource request (e.g. /healthz, /logs), then it's a regular non-resource request authorization check (still requiring [1]), with the requested path being the requested path.
    • optional: We could prefix the request path to indicate a request via the kubelet API, so the authorization can't be used against other non-kubelet targets.

These changes need to maintain backwards compatibility with the current coarse grained permissions.

/sig auth
/sig node
/kind feature
/area kubelet-api
/priority important-longterm

See also:

Metadata

Assignees

No one assigned

    Labels

    area/kubelet-apikind/featureCategorizes issue or PR as related to a new feature.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.sig/authCategorizes an issue or PR as relevant to SIG Auth.sig/nodeCategorizes an issue or PR as relevant to SIG Node.

    Type

    No type

    Projects

    SIG Auth

    • Status

      Closed / Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions