Protect the Kubelet API #208
Conversation
Setting required to prevent: https://github.com/kayrus/kubelet-exploit
|
@bgeesaman Does this break the tutorial? |
|
Ah, you're correct. It does break exec/attach/proxy requests from the API server to the Kubelet. More adjustments are needed. |
|
This should do it, but I still need to do a full run-through to verify every detail. |
|
@kelseyhightower I created a cluster role according to https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ and a cluster role binding for the CN Also, I moved the I've gone through the tutorial start to finish with these settings successfully. |
| @@ -79,7 +79,7 @@ ExecStart=/usr/local/bin/kube-apiserver \\ | |||
| --etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 \\ | |||
| --event-ttl=1h \\ | |||
| --experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\ | |||
| --insecure-bind-address=0.0.0.0 \\ | |||
| --insecure-bind-address=127.0.0.1 \\ | |||
There was a problem hiding this comment.
Since the secure port is already listening, this is just used for the locally running control plane services.
| @@ -118,7 +118,7 @@ ExecStart=/usr/local/bin/kube-controller-manager \\ | |||
| --cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\ | |||
| --cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\ | |||
| --leader-elect=true \\ | |||
| --master=http://${INTERNAL_IP}:8080 \\ | |||
| --master=http://127.0.0.1:8080 \\ | |||
There was a problem hiding this comment.
Modify to look locally instead of on the INTERNAL_IP.
| @@ -144,7 +144,7 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes | |||
| [Service] | |||
| ExecStart=/usr/local/bin/kube-scheduler \\ | |||
| --leader-elect=true \\ | |||
| --master=http://${INTERNAL_IP}:8080 \\ | |||
| --master=http://127.0.0.1:8080 \\ | |||
There was a problem hiding this comment.
Modify to look locally instead of on the INTERNAL_IP.
| @@ -185,6 +185,8 @@ Requires=crio.service | |||
|
|
|||
| [Service] | |||
| ExecStart=/usr/local/bin/kubelet \\ | |||
| --anonymous-auth=false \\ | |||
There was a problem hiding this comment.
Do not automatically consider clients to the Kubelet as system:anonymous in case someone unknowingly makes the system:anonymous role have actual permissions.
| @@ -185,6 +185,8 @@ Requires=crio.service | |||
|
|
|||
| [Service] | |||
| ExecStart=/usr/local/bin/kubelet \\ | |||
| --anonymous-auth=false \\ | |||
| --authorization-mode=Webhook \\ | |||
There was a problem hiding this comment.
Ask the API server via the SubjectAccessReview mechanism if the subject is allowed to access the Kubelet API for a given resource and verb.
| @@ -199,6 +201,7 @@ ExecStart=/usr/local/bin/kubelet \\ | |||
| --register-node=true \\ | |||
| --require-kubeconfig \\ | |||
| --runtime-request-timeout=10m \\ | |||
| --client-ca-file=/var/lib/kubernetes/ca.pem \\ | |||
There was a problem hiding this comment.
Give the kubelet the ability to validate certificates against the CA to know the subject to send for SubjectAccessReview.
|
I'll give this a run through soon and apply the changes. Thanks for putting this together. |
|
I've fixed this on master. I go into a little more detail on why this is required as well. Thanks for reporting this and the PR. |
|
👍 Glad you found it useful |
Setting required to prevent: https://github.com/kayrus/kubelet-exploit