-
Notifications
You must be signed in to change notification settings - Fork 717
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use signed kubelet serving certificates #1223
Comments
@raravena80 I'm not aware of any certificate created by kubeadm under |
@fabriziopandini I'm not entirely sure if the certs are created by the kubeadm, but the general procedure is described here. This is what the content of the directory looks like:
Are they |
@raravena80 thanks for the clarification Only one side note (might be it can help) |
/assign @liztio |
I think this is to pre-generate kubelet's server certs. I tinkered with trying to use the Kubelet flags for TLS server bootstrap and rotate server certs, unfortunately I could not get Kubelet to request a server cert for itself using the bootstrap token. Kubelet ends up falling back to its default behavior for server certs, which is to generate a self-signed one. To the best of my knowledge, right now the only way around that is to generate Kubelet's server certs out-of-band and place them at a deterministic path and kubelet (configured by kubeadm) will pick it up, and set some kubelet flags accordingly; reference: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#client-and-serving-certificates The
It's the kubelet's identity as a server being presented that needs to be signed by the k8s CA, which comes around to the original question. There's also some relevant discussion at the end of this thread: #118 I think kubeadm may have to add a CSR approver for server cert requests with a valid bootstrap token, just like it does for client cert requests? |
What about having the kubelet upload its self signed ca to a configmap somewhere? the nodeadmission plugin could restrict it to just its own configmap. metrics-server can use it to contact the node. |
Any ideas about that? |
If possible, I think we should use the TLS bootstrapping facilities built into the kubelet for requesting/rotating serving certificates. |
@alexbrand I agree on that |
kubelet TLS bootstrapping only generates client certificates for whatever reason: And kubeadm already does this. Perhaps this is a kubelet feature request? |
/lifecycle frozen it's frozen so that the bots don't close the issue. |
in theory and unless the kubelet validates them - e.g. "client cert must not have SANs".
it is the common practice to use them separate even in cases where it seems avoidable. it's unlikely that the kubelet/auth{z|n} maintainers would change this detail. |
Hey. Did a little more diggin. Kubelet configuration option Setting both Should kubeadm at enable the serverTLSBootstrap configuration option at least so Approving the server certificate would be an easy thing to do? Or even kubeadm could do the approval too? |
Not sure the security implementations but you can combine |
kubeadm cannot do the approval because kubeadm is not a daemon. it has to deploy a controller / operator that manages that for the user. maybe in the future. the certificates API should go GA soon and hopefully we are going to have a better way to manage this in k8s. please watch: we also have alternatives ideas. but if all this is trying to solve the metric-server issue, you might as well just use https://github.com/brancz/kube-rbac-proxy that can perform SAR on the MS requests to the kubelet . sadly this is not yet documented on our side: |
@neolit123 I at least started looking into it when trying to stand up metrics server on kubeadm and "the hard way" clusters for learning experience. Easiest way there was of course to flag MS with For now it's easy enough for me to add the I'll follow along the enhancements issue too. Thanks. |
That's really sad that with kubeadm which seems mature enough the out of the box result for kubeletet cert is to be self signed & many people choose |
it's a complicated problem. please try: |
Actually https://github.com/kontena/kubelet-rubber-stamp works pretty good & imo seems to be a more correct solution instead of proxy. Step 1: Step 2:
Step 3: Result:
|
Hey, just to add to that @vainkop apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
...
---
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
serverTLSBootstrap: true
Then all kubelet's will automatically be set up using the To get the CSRs
Then either approve them manually or deploy https://github.com/kontena/kubelet-rubber-stamp which approves them automatically. I just tried it with kubelet-rubber-stamp and it works great. Also I did not seem to need to restart the kubelet's this way, they picked up their certificates as soon as I approvde the CSR, but a caveat is that the kublet's have NO cert until the CSR is approved, it does not get a self signed certificate first.
Another strange thing seems to happen here btw, which is that the master node seems to create it’s CSR twice. (At least the two times I tried this) But as @nijave says in a comment above, I'm not sure what the security implications of using the rubber-stamper are. |
@allir, @vainkop as far is i can see the kubelet-rubber-stamp does only verify if the common name of the CSR matches the requester name but does not verify whether the additional hostnames and IP Addresses requested by the kubelet are valid. This means an attacker that has access to the kubelet client certificate can create certificates for basically any domain name or IP address. All clients that are configured to trust the root CA will then accept this certificate. |
Or for an existing K8s setup using Ansible it can be:
+restart kubelets |
Wow I'm so glad that I found this issue, and I'm not alone who wants to make this proper way. :) Now let me share my thoughts on this issue (please correct me if I'm somewhere wrong): First my vision of the original problem: Possible risks of using Little observation: Possible solution: For example:
To me it is pretty obvious that each node resource should have similar spec:
caBundle: <ca-hash> Both metris-server and kube-apiserver should use these certificates to verify and trust the connection to the kubelets. thanks to @kfox1111 who expressed a similar idea previously #1223 (comment) |
To answer this question I can quote @luxas here:
from #118 (comment) |
hope it can be resolved some day
|
No news from this issue? I would be interested to have a solution for this as well. |
we are documenting workarounds here: we can keep this issue open, but due to the complexities of requiring to deploy a signer with kubeadm by default, it's unlikely that we are going to make this change anytime soon. |
This would mean keeping track of the previous state. Maybe it can work. You
can talk with the maintainers about this idea in #sig-auth on k8s slack.
…On Oct 6, 2021 12:08, "DrmagicE" ***@***.***> wrote:
How about make the kube-controller can auto-approve those CSRs that are
not changing anything or not changing some sensitive field such as IP
address, DNS name, common name, organization etc.?
I think in most cases, we just want to renew the certificate without any
changes. It would be nice if the kube-controller can auto-approve those
CSRs.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1223 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACRATDGFQUXQWCV4XE2HIDUFQGZPANCNFSM4GCXG3JQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Can someone comment on what are possible consequences if we would use It would help us to understand possible risks and decide if enabling this configuration is somewhat better than running metrics-server with |
Some kind of integration with spire would be interesting. There is a systemd workload attestor now, so targeting a cert to a kubelet via systemd kubelet service would be much easier to do now. |
I also faced the insecure kubelet server certs and went down the same path as most of the comments here. Setting I first thought you could set up a auto approver via kube-controller with the the needed RBAC permissions but the kube controller will nver auto approve the kubelet server certs, just client configurations. Having an optional (opt-in) aption to also allow auto approve for kubelet server certs might me another option to avoid people using |
There are 3rd party options like https://github.com/postfinance/kubelet-csr-approver |
Is this a BUG REPORT or FEATURE REQUEST?
/kind bug
Opening the
kubeadm
side for this issue on the metrics-serverVersions
Environment:
kubectl version
):Any
Any
uname -a
):What happened?
kubeadm creates certs under
/var/lib/kubelet/pki/kubelet.*
signed with a different CA from the one under/etc/kubernetes/pki/ca.pem
What you expected to happen?
As a result some apps like the metrics-server cannot collect stats from a secured kubelet because the kubelet has certs signed by a different ca from the K8s master(s)
Error sample:
How to reproduce it (as minimally and precisely as possible)?
Install the metrics-server on run:
$ kubectl -n kube-system logs
Anything else we need to know?
Some more background here
There also steps in there that I followed to fix the issue.
edit: neolit123
the problem here is that the serving cert is self-signed by default:
see kubernetes/website#27071 for documentation update.
The text was updated successfully, but these errors were encountered: