Prevent host access on VIP addresses in proxy-mode=ipvs #108460
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
do-not-merge/work-in-progress
|
@uablrek: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-triage
k8s-ci-robot
added
area/ipvs
sig/network
|
/sig network |
|
@andrewsykim Please review and advise about the update of the filter-INPUT chain. The update to create a |
k8s-ci-robot
added
size/M
|
Unfortunately there is more to it. When the iptables rules are applied access to the host ports is rejected ok, but access to the service from main netns on the node doesn't work 😞 This is because traffic from main netns gets the VIP address as source. Example for 10.0.0.0 as VIP; This causes reply traffic with dest |
|
Adding a ctstate solves the problem; But are all cases covered? How about UDP? |
|
/test all |
|
/test pull-kubernetes-verify |
|
/test pull-kubernetes-e2e-gci-gce-ipvs |
1 similar comment
|
/test pull-kubernetes-e2e-gci-gce-ipvs |
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/assign @andrewsykim |
|
Now it looks like this; We have both |
|
The "drop packets to ipvs0 addresses" rule wouldn't be useful in FORWARD, but it would be harmless... |
|
@danwinship Should I remove KUBE-IPVS-FILTER and use KUBE-PROXY-FIREWALL? It would be cleaner, but almost everything passes FORWARD, so...? |
|
I don't have a vote here, but my gut says to keep them broken out unless there is a strong reason not to. For the reasons you said, but also observability/debugging if something has gone wrong. I think it is quite clean as is, and mixing it into another chain seems a step backward. (Not a contributor to kube-proxy, just a rando that has been worrying about this security bug from the sidelines). |
| @@ -1779,6 +1790,22 @@ func (proxier *Proxier) writeIptablesRules() { | |||
| "-j", "ACCEPT", | |||
| ) | |||
|
|
|||
| // Add rules to the filter/KUBE-IPVS-FILTER chain to prevent access to ports on the host through VIP addresses. | |||
| // https://github.com/kubernetes/kubernetes/issues/72236 | |||
| proxier.filterRules.Write( | |||
There was a problem hiding this comment.
@danwinship We have historically NOT used ipset in iptables mode, but maybe that's something we should consider?
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: danwinship, thockin, uablrek The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
The problem was introduced by PR kubernetes#108460
The problem was introduced by PR kubernetes#108460
The problem was introduced by PR kubernetes#108460
The problem was introduced by PR kubernetes#108460
The problem was introduced by PR kubernetes#108460
The problem was introduced by PR kubernetes#108460
What type of PR is this?
/kind bug
What this PR does / why we need it:
In proxy-mode=ipvs ports on the host, e.g. ssh:22, can be accessed from an external machine using an external VIP address or a service address.
Which issue(s) this PR fixes:
Fixes #72236
Special notes for your reviewer:
An attempt at solving this according to #72236 (comment)
I am very uncertain about the division of iptables handling between
kubeletandkube-proxy. The filter-INPUT chain is from what I can see only updated bykubelet. Please advice on how to update it fromkube-proxywithout messing up.Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: