Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm lock down kubelet API #351

Closed
joantune opened this issue Jul 19, 2017 · 6 comments
Closed

kubeadm lock down kubelet API #351

joantune opened this issue Jul 19, 2017 · 6 comments

Comments

@joantune
Copy link

joantune commented Jul 19, 2017
edited
Loading

##FEATURE REQUEST

As per https://github.com/kubernetes/kubernetes.github.io/blob/master/docs/admin/kubelet-authentication-authorization.md and kubernetes/enhancements#89 kubeadm could(?)/should(?) make sure that node's kubectl 1025 port required a client certificate to connect to.

Versions

kubeadm 1.7.1

Environment:

  • Kubernetes 1.7.1

What happened?

wget --no-check-certificate https://<ip>:1025 returned a 404 Not found instead of a 401 (most likely needs to be rechecked)

What you expected to happen?

A 401

How to reproduce it (as minimally and precisely as possible)?

kubeadm init

On node:
kubeadm join <etc>
From another host:

wget --no-check-certificate https://<node>:1025

returns a 401
@mikedanese mikedanese changed the title kubeadm lock down kubectl API kubeadm lock down kubelet API Jul 19, 2017
@mikedanese
Copy link
Member

They kubelet API is already very locked down even though we allow anonymous authentication. Authorization will still stop an anonymous user from hitting endpoints of value. I'm not sure what the value is of disabling anonymous auth. cc @liggitt

@joantune
Copy link
Author

@mikedanese: got it!
On this topic:

how should one minimize the surface area of kubernetes to the outside world?

Kubectl's endpoint can be set to be accessible only from inside a cluster's private addresses right? one might lose access to kubectl from a local machine, but still be able to do that through a SSH tunnel (+ kubectl proxy if kubectl is only listening in another interface, right?)

I don't mean to be paranoid, it's just that the less endpoints exposed the better, I guess this was the rationale behind GCE's SSH tunnels.

@liggitt
Copy link
Member

liggitt commented Jul 19, 2017

I guess this was the rationale behind GCE's SSH tunnels.

GCE actually added SSH tunnels in lieu of securing the endpoints. With the ability to protect the endpoints, the benefit of tunneling is marginal (not zero, but not worth the added complexity for many deployments)

@joantune
Copy link
Author

joantune commented Jul 19, 2017
edited
Loading

GCE actually added SSH tunnels in lieu of securing the endpoints.

I see, I saw kubernetes/enhancements#89 original problem as a two issue thing, which was:
a) having access to kubectl's endpoint directly
b) allowing anyone to execute API endpoints

It was actually mostly b)
Although I have to say, If I want to also limit the surface area, after looking at the docs, I have no idea what is the best way to accomplish that. The concepts of Nodes/Pods/Services is well explained, but how they interact with the host's network and through which processes are not.

e.g. Do pods expose directly their container's Pod port when part of an externally accessible service [actually I think this one is explained, but when it's 'LoadBalanced' not so much] what's kubeproxy/kubectl for and what role do they play with kubernetes? can they be walled off the internet? How can that be achieved would a VPN be enough and a firewall or binding those to the VPN's interface only? would that brake things? Making this clearer would make sysadmins feel more secure on using Kubernetes inside their own clouds. A good diagram could help. Hell I'm willing to do put that effort if I understand how it goes (i.e. something like the diagrams that you already have, but detailing the Kubernete's processes and endpoints [like kubectl kubeproxy] and what kind of traffic they handle and what it's used for)

@luxas
Copy link
Member

luxas commented Jul 20, 2017

@joantune What happens if you do https://<ip>:10250/stats or /metrics or /containerLogs or an other valid path? I think the 404 for / is legit, since there is no associated path with / in the kubelet server.

This happens for me:

$ curl -sSLk https://localhost:10250
404 page not found
$ curl -sSLk https://localhost:10250/stats
Forbidden (user=system:anonymous, verb=get, resource=nodes, subresource=stats)
$ curl -sSLk https://localhost:10250/metrics
Forbidden (user=system:anonymous, verb=get, resource=nodes, subresource=metrics)

I do think this is working just as expected. This was locked down in v1.6.

All traffic to the kubelet's endpoint is first authenticated with the CA cert. If there is no authentication method like above, the auth module will authenticate the user as system:anonymous. The kubelet then POSTs a SubjectAccessReview for the user in question to the API server and gets a denial back, because only users in the system:masters group are allowed to access this API.

TL;DR; both authentication and authorization is enabled for this endpoint. Anonymous requests are allowed in the authentication phase, but won't survive the authorization phase unless you create some custom RBAC rules.

@luxas
Copy link
Member

luxas commented Aug 8, 2017

Closing this as the kubelet API endpoint is properly secured and has been since v1.6.0

@luxas luxas closed this as completed Aug 8, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@liggitt @joantune @mikedanese @luxas