[release-1.24] Ensure that no embedded controllers are using the admin RBAC #7703
Assignees
Milestone
Comments
Validated on Version:- k3s version v1.24.14+k3s-d74fa4f4 (d74fa4f4)Environment DetailsInfrastructure Node(s) CPU architecture, OS, and Version: Cluster Configuration: Config.yaml: Steps to Validate the fix:
Issue Validation ~$ k3s -v
k3s version v1.24.14+k3s-d74fa4f4 (d74fa4f4)
~$ sudo mkdir -p -m 700 /var/lib/rancher/k3s/server/logs
ExecStart=/usr/local/bin/k3s \
server \
'--kube-apiserver-arg=audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' \
'--kube-apiserver-arg=audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml' \
~$ sudo systemctl daemon-reload
~$ sudo systemctl restart k3s.service
~$ sudo awk '/system:k3s-supervisor/ && /controller/ { if (++count <= 2) print }' /var/lib/rancher/k3s/server/logs/audit.log
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"f98fca11-7581-443e-a6c3-46b0e4bb06af","stage":"RequestReceived","requestURI":"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/k3s-cloud-controller-manager","verb":"patch","user":{"username":"system:k3s-supervisor","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"deploy@ip-172-31-20-35/v1.24.14+k3s-d74fa4f4 (linux/amd64) k3s/d74fa4f4","objectRef":{"resource":"clusterrolebindings","name":"k3s-cloud-controller-manager","apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1"},"requestReceivedTimestamp":"2023-06-16T11:25:33.832629Z","stageTimestamp":"2023-06-16T11:25:33.832629Z"}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"f98fca11-7581-443e-a6c3-46b0e4bb06af","stage":"ResponseComplete","requestURI":"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/k3s-cloud-controller-manager","verb":"patch","user":{"username":"system:k3s-supervisor","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"deploy@ip-172-31-20-35/v1.24.14+k3s-d74fa4f4 (linux/amd64) k3s/d74fa4f4","objectRef":{"resource":"clusterrolebindings","name":"k3s-cloud-controller-manager","apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-06-16T11:25:33.832629Z","stageTimestamp":"2023-06-16T11:25:33.858225Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"584cc63f-1a02-41c4-b684-d6f7e086fd8d","stage":"RequestReceived","requestURI":"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/k3s-cloud-controller-manager-auth-delegator","verb":"patch","user":{"username":"system:k3s-supervisor","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"deploy@ip-172-31-20-35/v1.24.14+k3s-d74fa4f4 (linux/amd64) k3s/d74fa4f4","objectRef":{"resource":"clusterrolebindings","name":"k3s-cloud-controller-manager-auth-delegator","apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1"},"requestReceivedTimestamp":"2023-06-16T11:25:33.870710Z","stageTimestamp":"2023-06-16T11:25:33.870710Z"}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"584cc63f-1a02-41c4-b684-d6f7e086fd8d","stage":"ResponseComplete","requestURI":"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/k3s-cloud-controller-manager-auth-delegator","verb":"patch","user":{"username":"system:k3s-supervisor","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"deploy@ip-172-31-20-35/v1.24.14+k3s-d74fa4f4 (linux/amd64) k3s/d74fa4f4","objectRef":{"resource":"clusterrolebindings","name":"k3s-cloud-controller-manager-auth-delegator","apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-06-16T11:25:33.870710Z","stageTimestamp":"2023-06-16T11:25:33.874027Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"a69dd30a-9b2c-4554-a282-393a03ebc786","stage":"RequestReceived","requestURI":"/apis/rbac.authorization.k8s.io/v1/namespaces/kube-system/rolebindings/k3s-cloud-controller-manager-authentication-reader","verb":"patch","user":{"username":"system:k3s-supervisor","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"deploy@ip-172-31-20-35/v1.24.14+k3s-d74fa4f4 (linux/amd64) k3s/d74fa4f4","objectRef":{"resource":"rolebindings","namespace":"kube-system","name":"k3s-cloud-controller-manager-authentication-reader","apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1"},"requestReceivedTimestamp":"2023-06-16T11:25:33.913479Z","stageTimestamp":"2023-06-16T11:25:33.913479Z"}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"a69dd30a-9b2c-4554-a282-393a03ebc786","stage":"ResponseComplete","requestURI":"/apis/rbac.authorization.k8s.io/v1/namespaces/kube-system/rolebindings/k3s-cloud-controller-manager-authentication-reader","verb":"patch","user":{"username":"system:k3s-supervisor","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"deploy@ip-172-31-20-35/v1.24.14+k3s-d74fa4f4 (linux/amd64) k3s/d74fa4f4","objectRef":{"resource":"rolebindings","namespace":"kube-system","name":"k3s-cloud-controller-manager-authentication-reader","apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-06-16T11:25:33.913479Z","stageTimestamp":"2023-06-16T11:25:33.929808Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"576ad1b4-db9d-4613-b75c-52a8abc74918","stage":"RequestReceived","requestURI":"/api/v1","verb":"get","user":{"username":"system:k3s-supervisor","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"helm-controller@ip-172-31-20-35/v1.24.14+k3s-d74fa4f4 (linux/amd64) k3s/d74fa4f4","requestReceivedTimestamp":"2023-06-16T11:25:34.445964Z","stageTimestamp":"2023-06-16T11:25:34.445964Z"}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"91579c82-de5e-4462-8ba7-1befe8409ea8","stage":"RequestReceived","requestURI":"/api/v1/namespaces/kube-system/events","verb":"create","user":{"username":"system:k3s-supervisor","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"helm-controller@ip-172-31-20-35/v1.24.14+k3s-d74fa4f4 (linux/amd64) k3s/d74fa4f4","objectRef":{"resource":"events","namespace":"kube-system","apiVersion":"v1"},"requestReceivedTimestamp":"2023-06-16T11:25:34.446202Z","stageTimestamp":"2023-06-16T11:25:34.446202Z"}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"576ad1b4-db9d-4613-b75c-52a8abc74918","stage":"ResponseComplete","requestURI":"/api/v1","verb":"get","user":{"username":"system:k3s-supervisor","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"helm-controller@ip-172-31-20-35/v1.24.14+k3s-d74fa4f4 (linux/amd64) k3s/d74fa4f4","responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-06-16T11:25:34.445964Z","stageTimestamp":"2023-06-16T11:25:34.449306Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"91579c82-de5e-4462-8ba7-1befe8409ea8","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/kube-system/events","verb":"create","user":{"username":"system:k3s-supervisor","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"helm-controller@ip-172-31-20-35/v1.24.14+k3s-d74fa4f4 (linux/amd64) k3s/d74fa4f4","objectRef":{"resource":"events","namespace":"kube-system","name":"traefik.1769200368fefaa8","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2023-06-16T11:25:34.446202Z","stageTimestamp":"2023-06-16T11:25:34.450748Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The text was updated successfully, but these errors were encountered: