Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Protect the Kubelet API #208

Closed
wants to merge 2 commits into from
Closed

Protect the Kubelet API #208

wants to merge 2 commits into from

Conversation

bgeesaman
Copy link

@kelseyhightower
Copy link
Owner

@bgeesaman Does this break the tutorial?

@bgeesaman
Copy link
Author

Ah, you're correct. It does break exec/attach/proxy requests from the API server to the Kubelet. More adjustments are needed.

@bgeesaman
Copy link
Author

This should do it, but I still need to do a full run-through to verify every detail.

@bgeesaman
Copy link
Author

bgeesaman commented Sep 3, 2017

@kelseyhightower I created a cluster role according to https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ and a cluster role binding for the CN kubernetes of the kubernetes.pem to be able to have those permissions when the Kubelet validates access from the API server via the Webhook. I was scratching my head with auth failures until I noticed the kublet was missing the --client-ca-file option.

Also, I moved the --insecure-bind-address to 127.0.0.1 and edited the kube-controller-manager.service and kube-scheduler.service to use that instead to protect the API from unauthenticated/clear-text access from the local network.

I've gone through the tutorial start to finish with these settings successfully.

@@ -79,7 +79,7 @@ ExecStart=/usr/local/bin/kube-apiserver \\
--etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 \\
--event-ttl=1h \\
--experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\
--insecure-bind-address=0.0.0.0 \\
--insecure-bind-address=127.0.0.1 \\
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the secure port is already listening, this is just used for the locally running control plane services.

@@ -118,7 +118,7 @@ ExecStart=/usr/local/bin/kube-controller-manager \\
--cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\
--cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\
--leader-elect=true \\
--master=http://${INTERNAL_IP}:8080 \\
--master=http://127.0.0.1:8080 \\
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Modify to look locally instead of on the INTERNAL_IP.

@@ -144,7 +144,7 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
ExecStart=/usr/local/bin/kube-scheduler \\
--leader-elect=true \\
--master=http://${INTERNAL_IP}:8080 \\
--master=http://127.0.0.1:8080 \\
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Modify to look locally instead of on the INTERNAL_IP.

@@ -185,6 +185,8 @@ Requires=crio.service

[Service]
ExecStart=/usr/local/bin/kubelet \\
--anonymous-auth=false \\
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do not automatically consider clients to the Kubelet as system:anonymous in case someone unknowingly makes the system:anonymous role have actual permissions.

@@ -185,6 +185,8 @@ Requires=crio.service

[Service]
ExecStart=/usr/local/bin/kubelet \\
--anonymous-auth=false \\
--authorization-mode=Webhook \\
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ask the API server via the SubjectAccessReview mechanism if the subject is allowed to access the Kubelet API for a given resource and verb.

@@ -199,6 +201,7 @@ ExecStart=/usr/local/bin/kubelet \\
--register-node=true \\
--require-kubeconfig \\
--runtime-request-timeout=10m \\
--client-ca-file=/var/lib/kubernetes/ca.pem \\
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Give the kubelet the ability to validate certificates against the CA to know the subject to send for SubjectAccessReview.

@kelseyhightower
Copy link
Owner

I'll give this a run through soon and apply the changes. Thanks for putting this together.

@kelseyhightower
Copy link
Owner

I've fixed this on master. I go into a little more detail on why this is required as well. Thanks for reporting this and the PR.

@bgeesaman
Copy link
Author

👍 Glad you found it useful

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants