kubeadm: Improve the kubelet default configuration security-wise #64187
Conversation
k8s-ci-robot
added
release-note-action-required
|
/retest |
|
|
||
| // Disable the readonly port of the kubelet, in order to not expose unnecessary information | ||
| // TODO: Enable in a future PR | ||
| // obj.KubeletConfiguration.BaseConfig.ReadOnlyPort = 0 | ||
| obj.KubeletConfiguration.BaseConfig.ReadOnlyPort = 0 |
There was a problem hiding this comment.
Note that ReadOnlyPort is already 0 by default when you load a config from a file, or use dynamic config.
Similar for a few others too, like Webhook auth. The v1beta1 defaulter is the canonical source of defaults, and we maintain the old defaults for flags via applyLegacyDefaults in cmd/kubelet/app/options/options.go.
So if you're just generating the default Kubelet config, then you'll get the file/dynamic config defaults if you do it like NewKubeletConfiguration in options.go.
Ah, noticed above you're doing this:
if obj.KubeletConfiguration.BaseConfig == nil {
obj.KubeletConfiguration.BaseConfig = &kubeletconfigv1beta1.KubeletConfiguration{}
}
You might want to run it through the defaulter, like NewKubeletConfiguration in options.go.
There was a problem hiding this comment.
We do run these through the defaulter, see later down the func where we construct the scheme.
But I like to enforce this here as well (double-checking basically to be safe), and be explicit with what we require. Does that make sense? Yeah I saw these are way more secure by default when not using the flags 👍
There was a problem hiding this comment.
Yup, that's totally reasonable.
luxas
force-pushed
the
kubeadm_kubelet_improve_security
branch
from
d80fc95
to
935835b
Compare
|
/retest |
| obj.KubeletConfiguration.BaseConfig.ReadOnlyPort = 0 | ||
|
|
||
| // Enables client certificate rotation for the kubelet | ||
| obj.KubeletConfiguration.BaseConfig.RotateCertificates = true |
There was a problem hiding this comment.
For my own edification what's the default policy for kubelet cert rotation?
There was a problem hiding this comment.
false, don't rotate an expired cert. It's beta, not GA yet. kubernetes/enhancements#266
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: luxas, timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest Review the full test history for this PR. Silence the bot with an |
luxas
force-pushed
the
kubeadm_kubelet_improve_security
branch
from
935835b
to
efc4089
Compare
k8s-ci-robot
removed
the
lgtm
|
New changes are detected. LGTM label has been removed. |
|
just fixed a fuzzing/roundtrip test |
luxas
added
the
lgtm
| @@ -79,6 +79,7 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} { | |||
| Enabled: utilpointer.BoolPtr(false), | |||
| }, | |||
| }, | |||
| RotateCertificates: true, | |||
There was a problem hiding this comment.
I'm confused by this function. It doesn't look like it's fuzzing anything, just hardcoding the values?
There was a problem hiding this comment.
I think it's making sure these values from the fuzzer / these defaults are preserved between conversions using the different API versions.
There was a problem hiding this comment.
I was looking at this a while back, and this overrides the default fuzzing for the attributes and hardcodes specific values. We should most likely only be setting values for attributes here if we need to handle cases where randomized fuzzing would generate invalid configs (attributes that are mutually exclusive, dependent on other attributes, etc).
There was a problem hiding this comment.
@detiber can you open an issue for improving that? I guess we're setting this for a bit too many items then...
|
|
||
| // Disable the readonly port of the kubelet, in order to not expose unnecessary information | ||
| // TODO: Enable in a future PR | ||
| // obj.KubeletConfiguration.BaseConfig.ReadOnlyPort = 0 | ||
| obj.KubeletConfiguration.BaseConfig.ReadOnlyPort = 0 |
There was a problem hiding this comment.
I assume you already configure heapster / metrics server to scrape from the 10255 port? (Can you point me to the config, to satisfy my curiosity?)
There was a problem hiding this comment.
We actually don't configure heapster / the metrics server in our default configs. We do the bare minimum needed for conformance which doesn't require that kind of monitoring at the moment.
|
/retest |
1 similar comment
|
/retest |
|
Automatic merge from submit-queue (batch tested with PRs 64174, 64187, 64216, 63265, 64223). If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes kubernetes/kubeadm#732
Fixes kubernetes/kubeadm#650
Replaces #57997
Special notes for your reviewer:
In order to make sure this actually works, or that clusters actually are secure, we're adding e2e tests for this: kubernetes/kubeadm#838 & #64140
Depends on #63912
Release note:
@kubernetes/sig-cluster-lifecycle-pr-reviews
@kubernetes/sig-auth-pr-reviews FYI