Secure Kubelet's componentconfig defaults while maintaining CLI compatibility #59666
Conversation
mtaufen
added
area/kubelet
area/kubelet-api
sig/node
k8s-ci-robot
added
release-note-action-required
k8s-ci-robot
added
the
cncf-cla: yes
mtaufen
force-pushed
the
kc-secure-componentconfig-defaults
branch
from
1d9957f to
bef9c72
Compare
mtaufen
added
the
priority/important-soon
mtaufen
force-pushed
the
kc-secure-componentconfig-defaults
branch
5 times, most recently
from
4c253a0 to
799edde
Compare
k8s-ci-robot
added
size/M
mtaufen
force-pushed
the
kc-secure-componentconfig-defaults
branch
from
799edde to
6e9c744
Compare
|
/retest |
…tibility This updates the Kubelet's componentconfig defaults, while applying the legacy defaults to values from options.NewKubeletConfiguration(). This keeps defaults the same for the command line and improves the security of defaults when you load config from a file. See: kubernetes#53618 See: kubernetes#53833 (comment)
mtaufen
force-pushed
the
kc-secure-componentconfig-defaults
branch
from
6e9c744 to
c1e34bc
Compare
|
lgtm, but would appreciate @liggitt 's ack. |
|
/retest |
| } | ||
| if obj.Authentication.Webhook.Enabled == nil { | ||
| obj.Authentication.Webhook.Enabled = boolVar(false) | ||
| obj.Authentication.Webhook.Enabled = boolVar(true) |
There was a problem hiding this comment.
This will only work if you have a kubeconfig specified, right? Do we need to make this conditional on whether you are in standalone mode?
There was a problem hiding this comment.
It won't be a silent failure: https://github.com/kubernetes/kubernetes/blob/master/cmd/kubelet/app/auth.go#L73
I'd rather default to true, and tell people to turn it off explicitly in standalone mode. Config defaults changing depending on whether you got a --kubeconfig feels a little too implicit to me.
| } | ||
| if obj.Authentication.Webhook.CacheTTL == zeroDuration { | ||
| obj.Authentication.Webhook.CacheTTL = metav1.Duration{Duration: 2 * time.Minute} | ||
| } | ||
| if obj.Authorization.Mode == "" { | ||
| obj.Authorization.Mode = KubeletAuthorizationModeAlwaysAllow | ||
| obj.Authorization.Mode = KubeletAuthorizationModeWebhook |
|
Overall, the approach seems reasonable. One question on defaulting for things that require a kubeconfig |
|
/lgtm |
|
Experiencing this on 1.6.14 (Rancher) running Kubernetes 1.8.6 - lock down ports first - upgrading now ubuntu@cd-r:~$ sudo ps -ef | grep stratum |
|
Is there any CVE for this? This is information disclosure. Also a backport for 1.9 (and 1.8) would be good I think. |
No. Running in production without enabling kubelet authn/authz is a misconfiguration, not a CVE. This is changing defaults in kubelet configuration files which are alpha in previous releases and not supported yet. |
|
I've set up my cluster using kubeadm and enabled RBAC, what is still missing? |
|
@sathieu kubeadm enables kubelet authorization (https://github.com/kubernetes/release/blob/master/rpm/10-kubeadm-pre-1.8.conf#L6), so anonymous requests cannot make kubelet API calls by default (they get 403 forbidden errors) |
|
But this doesn't apply to the readonly port : (tested on 1.9.4). See also : https://medium.com/handy-tech/analysis-of-a-kubernetes-hack-backdooring-through-kubelet-823be5c3d67c |
correct, though you cannot perform exec/attach calls via the readonly port. kubeadm should also disable the readonly port to follow best practices. |
Secure kubelet public api, add authentication for https port 10250 and close http port 10255. Please refer to kubernetes/kubernetes#7965, kubernetes/kubernetes#59666 for reasons and docker/for-linux#324, [Backdooring through kubelet](https://medium.com/handy-tech/analysis-of-a-kubernetes-hack-backdooring-through-kubelet-823be5c3d67c) for hacking examples.
Secure kubelet public api, add authentication for https port 10250 and close http port 10255. Please refer to kubernetes/kubernetes#7965, kubernetes/kubernetes#59666 for reasons and docker/for-linux#324, [Backdooring through kubelet](https://medium.com/handy-tech/analysis-of-a-kubernetes-hack-backdooring-through-kubelet-823be5c3d67c) for hacking examples.
Secure kubelet public api, add authentication for https port 10250 and close http port 10255. Please refer to kubernetes/kubernetes#7965, kubernetes/kubernetes#59666 for reasons and docker/for-linux#324, [Backdooring through kubelet](https://medium.com/handy-tech/analysis-of-a-kubernetes-hack-backdooring-through-kubelet-823be5c3d67c) for hacking examples.
This updates the Kubelet's componentconfig defaults, while applying the legacy defaults to values from options.NewKubeletConfiguration(). This keeps defaults the same for the command line and improves the security of defaults when you load config from a file.
See: #53618
See: #53833 (comment)
Also moves EnableServer to KubeletFlags, per @tallclair's comments on #53833.
We should find way of generating documentation for config file defaults, so that people can easily look up what's different from flags.