Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.25] Ensure that no embedded controllers are using the admin RBAC #7645

Closed
brandond opened this issue May 31, 2023 · 2 comments
Closed

[release-1.25] Ensure that no embedded controllers are using the admin RBAC #7645

brandond opened this issue May 31, 2023 · 2 comments
Assignees
@brandond @aganesh-suse
Milestone
v1.25.11+k3s1

Comments

@brandond
Copy link
Member

@brandond brandond added this to the v1.25.11+k3s1 milestone May 31, 2023
@brandond brandond self-assigned this May 31, 2023
@brandond brandond moved this from New to Working in K3s Development May 31, 2023
@brandond brandond mentioned this issue Jun 9, 2023
Merged
@brandond brandond moved this from Working to To Test in K3s Development Jun 12, 2023
@aganesh-suse
Copy link

aganesh-suse commented Jun 15, 2023
edited
Loading

RHEL 9.2

k3s -v
k3s version v1.25.10+k3s-d8aac17d (d8aac17d)
go version go1.19.9

There is a new "supervisor.kubeconfig" which was not there in the v1.25.10+k3s1 version

sudo ls /var/lib/rancher/k3s/server/cred
admin.kubeconfig       cloud-controller.kubeconfig  ipsec.psk  scheduler.kubeconfig
api-server.kubeconfig  controller.kubeconfig	    passwd     supervisor.kubeconfig

Additional certs for supervisor which were not in previous version:

sudo ls /var/lib/rancher/k3s/server/tls
client-admin.crt       client-controller.crt		client-kube-apiserver.key  client-supervisor.key  server-ca.nochain.crt
client-admin.key       client-controller.key		client-kubelet.key	   dynamic-cert.json	  service.current.key
client-auth-proxy.crt  client-k3s-cloud-controller.crt	client-kube-proxy.crt	   etcd			  service.key
client-auth-proxy.key  client-k3s-cloud-controller.key	client-kube-proxy.key	   request-header-ca.crt  serving-kube-apiserver.crt
client-ca.crt	       client-k3s-controller.crt	client-scheduler.crt	   request-header-ca.key  serving-kube-apiserver.key
client-ca.key	       client-k3s-controller.key	client-scheduler.key	   server-ca.crt	  serving-kubelet.key
client-ca.nochain.crt  client-kube-apiserver.crt	client-supervisor.crt	   server-ca.key	  temporary-certs

sudo cat /var/lib/rancher/k3s/server/manifests/web-helmchart.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: web
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: apache
  namespace: kube-system
spec:
  repo: https://charts.bitnami.com/bitnami
  chart: apache
  targetNamespace: web
  valuesContent: |-
    service:
      type: ClusterIP
    ingress:
      enabled: true
      hostname: www.example.com
    metrics:
      enabled: true

k get pods -n web
NAME                     READY   STATUS    RESTARTS   AGE
apache-955d6fff5-88g85   2/2     Running   0          4m45s

@aganesh-suse
Copy link

aganesh-suse commented Jun 15, 2023
edited
Loading

Verify with generated audit logs:

Followed steps provided here for creating the audit logs directory and starting the k3s service with the required args:
https://docs.k3s.io/security/hardening-guide#api-server-audit-configuration

sudo mkdir -p -m 700 /var/lib/rancher/k3s/server/logs

sudo cat /var/lib/rancher/k3s/server/audit.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata

Edit etc/systemd/system/k3s.service with lines:

ExecStart=/usr/local/bin/k3s \
    server \
    '--kube-apiserver-arg=audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' \
    '--kube-apiserver-arg=audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml' \

sudo systemctl daemon-reload
sudo systemctl restart k3s.service

Sample audit log lines verifying the 'system:k3s-supervisor' was used by the helm-controller:

sudo cat /var/lib/rancher/k3s/server/logs/audit.log | grep supervisor:

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"d8cf09b4-425e-4c17-b512-7a2975cc20f3","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/kube-system/events","verb":"create","user":{"username":"system:k3s-supervisor","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"[email protected]/v1.25.10+k3s-d8aac17d (linux/amd64) k3s/d8aac17d","objectRef":{"resource":"events","namespace":"kube-system","name":"web-helmchart.1768ea9b41e303ae","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2023-06-15T19:06:55.467110Z","stageTimestamp":"2023-06-15T19:06:55.470838Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

In the previous version 1.25.10 the grep supervisor would return empty.

@github-project-automation github-project-automation bot moved this from To Test to Done Issue in K3s Development Jun 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@aganesh-suse aganesh-suse

Labels
None yet
Projects
K3s Development
Archived in project
Milestone
v1.25.11+k3s1
Development

No branches or pull requests
2 participants
@brandond @aganesh-suse