Magnum

k8s_fedora: Protect kubelet

Series pike
Bug #1758672

Bug #1758672 reported by Spyros Trigazis on 2018-03-25

This bug affects 3 people

	Status	Importance	Assigned to
Magnum	Status tracked in Rocky
Ocata	In Progress	Critical	Spyros Trigazis
Pike	In Progress	Critical	Spyros Trigazis
Queens	Fix Committed	Critical	Spyros Trigazis
Rocky	Fix Released	Critical	Spyros Trigazis

Bug Description

In kubernetes kubelet listens to 10250 and allows anonymous auth by default.

We need to:
* disable anonymous auth
* enable webhook auth with certs and with token for service accounts that have the proper roles.
* https://kubernetes.io/docs/admin/kubelet-authentication-authorization/

For an even more secure configuration we can:
* close cadvisor port
* close read-only-port

Only the healthz port of kube-proxy will be open in worker nodes (10256).

See original description

Spyros Trigazis (strigazi) on 2018-03-25

description:	updated
Changed in magnum:
assignee:	nobody → Spyros Trigazis (strigazi)
importance:	Undecided → Critical

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-25: Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/556213

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-25: Fix proposed to magnum (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/556214

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-30: Fix merged to magnum (master)

Reviewed: https://review.openstack.org/556213
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=205e8adafaf883e6dc81177eee3fa08d12b26f77
Submitter: Zuul
Branch: master

commit 205e8adafaf883e6dc81177eee3fa08d12b26f77
Author: Spyros Trigazis <email address hidden>
Date: Sun Mar 25 14:47:37 2018 +0000

k8s_fedora: Add kubelet authentication/authorization

    * disable kubelet anonymous-auth
    * enable kubelet webhook-(token) authorization
    * disable kubelet cadvisor and read-only ports
    * listen kubelet only on internal ipv4 ip
    * update kubelet certs
    * Update heapster RBAC to access kubelets
    * update api config to access kubelet over https

Closes-Bug: #1758672
Change-Id: I2c6046ce5921a63a2d56f51435433497b1ff30ba

Changed in magnum:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-30: Fix merged to magnum (stable/queens)

Reviewed: https://review.openstack.org/556214
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=dba9203f6a62a32c24a6540ae37fcd5814b11b4a
Submitter: Zuul
Branch: stable/queens

commit dba9203f6a62a32c24a6540ae37fcd5814b11b4a
Author: Spyros Trigazis <email address hidden>
Date: Sun Mar 25 14:47:37 2018 +0000

k8s_fedora: Add kubelet authentication/authorization

Closes-Bug: #1758672
Change-Id: I2c6046ce5921a63a2d56f51435433497b1ff30ba

Revision history for this message

Mikhail Kebich (mkebich-deactivatedaccount) wrote on 2018-04-09:

Hi Spyros Trigazis,

When do you plan to release a fix for the Pike and Ocata?

Thanks.

Revision history for this message

Mikhail Kebich (mkebich-deactivatedaccount) wrote on 2018-04-11:

Initially we got a report about the issue from the hackerone user https://hackerone.com/kasser. He participated in the Mail.Ru Bug Bounty Program: https://hackerone.com/mailru. Then our employee Sergey (sfilatov) has reported the problem in the Magnum IRC channel.