k8s_fedora: Protect kubelet

Bug #1758672 reported by Spyros Trigazis on 2018-03-25
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Magnum
Status tracked in Rocky
Ocata
In Progress
Critical
Spyros Trigazis
Pike
In Progress
Critical
Spyros Trigazis
Queens
Fix Committed
Critical
Spyros Trigazis
Rocky
Fix Released
Critical
Spyros Trigazis

Bug Description

In kubernetes kubelet listens to 10250 and allows anonymous auth by default.

We need to:
* disable anonymous auth
* enable webhook auth with certs and with token for service accounts that have the proper roles.
* https://kubernetes.io/docs/admin/kubelet-authentication-authorization/

For an even more secure configuration we can:
* close cadvisor port
* close read-only-port

Only the healthz port of kube-proxy will be open in worker nodes (10256).

description: updated
Changed in magnum:
assignee: nobody → Spyros Trigazis (strigazi)
importance: Undecided → Critical

Reviewed: https://review.openstack.org/556213
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=205e8adafaf883e6dc81177eee3fa08d12b26f77
Submitter: Zuul
Branch: master

commit 205e8adafaf883e6dc81177eee3fa08d12b26f77
Author: Spyros Trigazis <email address hidden>
Date: Sun Mar 25 14:47:37 2018 +0000

    k8s_fedora: Add kubelet authentication/authorization

    * disable kubelet anonymous-auth
    * enable kubelet webhook-(token) authorization
    * disable kubelet cadvisor and read-only ports
    * listen kubelet only on internal ipv4 ip
    * update kubelet certs
    * Update heapster RBAC to access kubelets
    * update api config to access kubelet over https

    Closes-Bug: #1758672
    Change-Id: I2c6046ce5921a63a2d56f51435433497b1ff30ba

Changed in magnum:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/556214
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=dba9203f6a62a32c24a6540ae37fcd5814b11b4a
Submitter: Zuul
Branch: stable/queens

commit dba9203f6a62a32c24a6540ae37fcd5814b11b4a
Author: Spyros Trigazis <email address hidden>
Date: Sun Mar 25 14:47:37 2018 +0000

    k8s_fedora: Add kubelet authentication/authorization

    * disable kubelet anonymous-auth
    * enable kubelet webhook-(token) authorization
    * disable kubelet cadvisor and read-only ports
    * listen kubelet only on internal ipv4 ip
    * update kubelet certs
    * Update heapster RBAC to access kubelets
    * update api config to access kubelet over https

    Closes-Bug: #1758672
    Change-Id: I2c6046ce5921a63a2d56f51435433497b1ff30ba

Mikhail Kebich (mkebich) wrote :

Hi Spyros Trigazis,

When do you plan to release a fix for the Pike and Ocata?

Thanks.

Mikhail Kebich (mkebich) wrote :

Initially we got a report about the issue from the hackerone user https://hackerone.com/kasser. He participated in the Mail.Ru Bug Bounty Program: https://hackerone.com/mailru. Then our employee Sergey (sfilatov) has reported the problem in the Magnum IRC channel.

This issue was fixed in the openstack/magnum 6.1.1 release.

This issue was fixed in the openstack/magnum 7.0.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers