k8s_fedora: Protect kubelet

Bug #1758672 reported by Spyros Trigazis
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Magnum
Status tracked in Rocky
Ocata
In Progress
Critical
Spyros Trigazis
Pike
In Progress
Critical
Spyros Trigazis
Queens
Fix Committed
Critical
Spyros Trigazis
Rocky
Fix Released
Critical
Spyros Trigazis

Bug Description

In kubernetes kubelet listens to 10250 and allows anonymous auth by default.

We need to:
* disable anonymous auth
* enable webhook auth with certs and with token for service accounts that have the proper roles.
* https://kubernetes.io/docs/admin/kubelet-authentication-authorization/

For an even more secure configuration we can:
* close cadvisor port
* close read-only-port

Only the healthz port of kube-proxy will be open in worker nodes (10256).

description: updated
Changed in magnum:
assignee: nobody → Spyros Trigazis (strigazi)
importance: Undecided → Critical
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/556213

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/556214

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (master)

Reviewed: https://review.openstack.org/556213
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=205e8adafaf883e6dc81177eee3fa08d12b26f77
Submitter: Zuul
Branch: master

commit 205e8adafaf883e6dc81177eee3fa08d12b26f77
Author: Spyros Trigazis <email address hidden>
Date: Sun Mar 25 14:47:37 2018 +0000

    k8s_fedora: Add kubelet authentication/authorization

    * disable kubelet anonymous-auth
    * enable kubelet webhook-(token) authorization
    * disable kubelet cadvisor and read-only ports
    * listen kubelet only on internal ipv4 ip
    * update kubelet certs
    * Update heapster RBAC to access kubelets
    * update api config to access kubelet over https

    Closes-Bug: #1758672
    Change-Id: I2c6046ce5921a63a2d56f51435433497b1ff30ba

Changed in magnum:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (stable/queens)

Reviewed: https://review.openstack.org/556214
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=dba9203f6a62a32c24a6540ae37fcd5814b11b4a
Submitter: Zuul
Branch: stable/queens

commit dba9203f6a62a32c24a6540ae37fcd5814b11b4a
Author: Spyros Trigazis <email address hidden>
Date: Sun Mar 25 14:47:37 2018 +0000

    k8s_fedora: Add kubelet authentication/authorization

    * disable kubelet anonymous-auth
    * enable kubelet webhook-(token) authorization
    * disable kubelet cadvisor and read-only ports
    * listen kubelet only on internal ipv4 ip
    * update kubelet certs
    * Update heapster RBAC to access kubelets
    * update api config to access kubelet over https

    Closes-Bug: #1758672
    Change-Id: I2c6046ce5921a63a2d56f51435433497b1ff30ba

Revision history for this message
Mikhail Kebich (mkebich-deactivatedaccount) wrote :

Hi Spyros Trigazis,

When do you plan to release a fix for the Pike and Ocata?

Thanks.

Revision history for this message
Mikhail Kebich (mkebich-deactivatedaccount) wrote :

Initially we got a report about the issue from the hackerone user https://hackerone.com/kasser. He participated in the Mail.Ru Bug Bounty Program: https://hackerone.com/mailru. Then our employee Sergey (sfilatov) has reported the problem in the Magnum IRC channel.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 6.1.1

This issue was fixed in the openstack/magnum 6.1.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 7.0.0

This issue was fixed in the openstack/magnum 7.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.