-
Notifications
You must be signed in to change notification settings - Fork 14.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protect the Kubelet API #208
Conversation
Setting required to prevent: https://github.com/kayrus/kubelet-exploit
@bgeesaman Does this break the tutorial? |
Ah, you're correct. It does break exec/attach/proxy requests from the API server to the Kubelet. More adjustments are needed. |
This should do it, but I still need to do a full run-through to verify every detail. |
@kelseyhightower I created a cluster role according to https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ and a cluster role binding for the CN Also, I moved the I've gone through the tutorial start to finish with these settings successfully. |
@@ -79,7 +79,7 @@ ExecStart=/usr/local/bin/kube-apiserver \\ | |||
--etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 \\ | |||
--event-ttl=1h \\ | |||
--experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\ | |||
--insecure-bind-address=0.0.0.0 \\ | |||
--insecure-bind-address=127.0.0.1 \\ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the secure port is already listening, this is just used for the locally running control plane services.
@@ -118,7 +118,7 @@ ExecStart=/usr/local/bin/kube-controller-manager \\ | |||
--cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\ | |||
--cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\ | |||
--leader-elect=true \\ | |||
--master=http://${INTERNAL_IP}:8080 \\ | |||
--master=http://127.0.0.1:8080 \\ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Modify to look locally instead of on the INTERNAL_IP.
@@ -144,7 +144,7 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes | |||
[Service] | |||
ExecStart=/usr/local/bin/kube-scheduler \\ | |||
--leader-elect=true \\ | |||
--master=http://${INTERNAL_IP}:8080 \\ | |||
--master=http://127.0.0.1:8080 \\ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Modify to look locally instead of on the INTERNAL_IP.
@@ -185,6 +185,8 @@ Requires=crio.service | |||
|
|||
[Service] | |||
ExecStart=/usr/local/bin/kubelet \\ | |||
--anonymous-auth=false \\ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do not automatically consider clients to the Kubelet as system:anonymous
in case someone unknowingly makes the system:anonymous
role have actual permissions.
@@ -185,6 +185,8 @@ Requires=crio.service | |||
|
|||
[Service] | |||
ExecStart=/usr/local/bin/kubelet \\ | |||
--anonymous-auth=false \\ | |||
--authorization-mode=Webhook \\ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ask the API server via the SubjectAccessReview mechanism if the subject
is allowed to access the Kubelet API for a given resource and verb.
@@ -199,6 +201,7 @@ ExecStart=/usr/local/bin/kubelet \\ | |||
--register-node=true \\ | |||
--require-kubeconfig \\ | |||
--runtime-request-timeout=10m \\ | |||
--client-ca-file=/var/lib/kubernetes/ca.pem \\ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Give the kubelet the ability to validate certificates against the CA to know the subject
to send for SubjectAccessReview.
I'll give this a run through soon and apply the changes. Thanks for putting this together. |
I've fixed this on master. I go into a little more detail on why this is required as well. Thanks for reporting this and the PR. |
👍 Glad you found it useful |
Setting required to prevent: https://github.com/kayrus/kubelet-exploit