New Docs page for API Server Bypass Risks #35908
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
language/en
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site settings. |
|
Most of the contents in this PR are valuable know-hows for cluster operators. However, I'm wondering whether/how these information can be combined with #33992 in which a checklist is being proposed. In other words, I'd like to propose an outline for security hardening, some can be concepts, others can be tasks. Once we kick both PRs in, we may need to re-organize the contents. So ... it would be desirable to have an upfront framework for these insights/recommendations. |
|
@tengqm Ultimately we could combine the longer form documents like this and the RBAC good practices guide into a full hardening guide that would then correlate to the checklist, but at the moment they're quite different documentation styles. We started a hardening guide idea, but I think the top-down approach looked a bit too daunting, so instead this is a more bottom-up approach of filling gaps in Kubernetes security knowledge for specific areas, that are not well served by other guides (e.g CIS benchmarks and the NSA Kubernetes hardening guide). |
|
I do understand where Qiming is coming from as well. It's good to have a plan or a larger "good" end state into which PRs that add value, like this one, feed so that we consolidate and focus our efforts. @tengqm do you know if we already have an umbrella type issue that tracks this type of work on hardening docs? If not I'll dig for it or make one |
|
@shannonxtreme There's an Issue and attached skeleton doc from last year here kubernetes/sig-security#30 FWIW I wouldn't really describe this page as a hardening guide though, it's more security architecture. Hardening guides tend to be focused on settings that can be changed in a product to improve security posture. This page isn't that, it's higher level about the security architecture choices made be Kubernetes that operators should be aware of, and some ideas to mitigate them, if it fits an organization's threat model. |
|
Yeah I wouldn't describe this as a hardening guide either. What I'd like to see as we build out our collection of docs like this is to some day have a top level page that acts as a one-step location that links you through each stage of the "Secure your cluster" journey. That page could have, for example, the "Discover" phase, linking to docs like the one in this PR, docs about the security measures built into k8s, etc. Then a "Harden your nodes" phase, with links to guides for taking hardening steps on nodes. So on and so forth. A reader could use it to wayfind the complex animal that is k8s |
|
@shannonxtreme It might be desirable to have such an umbrella issue as kubernetes security best practices. We can link to existing topics such authz&authn, RBAC, Pod Security Standard/Policy, or maybe even consolidate them to make the whole subject better organized than what we have today (https://kubernetes.io/docs/concepts/security/). My understanding is that, security, is a cross-cutting concern for all serious deployments. You don't care that much if you don't think it is an issue. But when you do care, you want to see a comprehensive list of topics in one place and then dive into a specific topic at will. |
|
@tengqm yes exactly. We want our readers to find these docs in a way that makes sense as they go through Kubernetes. My previous comment about a single page that logically consolidates and groups all our security topics across our docs would be a great way to improve the Security concept page I think. I'm not at my computer to open a tracking issue but if you do, please cc me as well |
|
/sig security |
k8s-ci-robot
added
sig/security
| mechanisms such as Linux kernel namespaces. | ||
| - Ensure that you restrict or forbid the use of [`hostPath` mounts](/docs/concepts/storage/volumes/#hostpath) | ||
| that include the container runtime socket. | ||
| - Restrict user access to nodes, and especially restrict superuser access to nodes. |
There was a problem hiding this comment.
Maybe a ## {% heading "whatsnext" %} with some useful next step links?
| title: Kubernetes API Server Bypass Risks | ||
| description: > | ||
| Security architecture information relating to the API server and other components | ||
| content_type: concept |
There was a problem hiding this comment.
nit: if you can explicitly define a weight here for ordering the pages, that would be nice
|
Thanks very much all, think I've got most of the formatting/wording changes sorted and I've squashed up the commits :) |
|
/assign @savitharaghunathan (I think this is the right process as we've got an LGTM now :) ) |
|
This PR doesn't yet have an LGTM @raesene (at least, not one that Prow counts). @shannonxtreme I'm guessing you were reviewing for SIG Docs, and now this should have a SIG Security technical review? |
|
@sftim ahh interesting, how do I tell which LGTMs count? |
|
Prow adds an LGTM label to the issue when it sees one that counts. |
|
overall, this is a positive addition that looks accurate... I noted a few things we might want to clarify and a couple things to expand on / correct |
|
@raesene I recommend that you rebase this against main; previews will work more quickly, and the deploy preview will be seen in a v1.25 context (Netlify doesn't do the merge for you when previewing). |
|
Updated to address feedback from the later reviews and re-squashed. |
New Docs page for API Server Bypass Risks This is a new documentation page for the Security Concepts section, looking at the risks of attackers bypassing the Kubernetes API server. We've been working on this in Kubernetes SIG-Security docs (issue [here](kubernetes/sig-security#42)) Co-Authored-By: Shannon Kularathna <[email protected]> Co-Authored-By: Qiming Teng <[email protected]> Co-Authored-By: Tim Bannister <[email protected]> Co-Authored-By: Jordan Liggitt <[email protected]>
There was a problem hiding this comment.
I really love this addition to the security doc, especially the static pod and kubelet thing that are as not as widely known as the rest. They were a bit in a "secret knowledge" state at the moment, only discussed in some issues or talks!
Thanks, @raesene for the work, this is well organized and pleasant to read! I would love to add a reference to it from the security checklist!
| authentication to that service. | ||
| - Control access to the private key for the etcd server certificate, and to the API server's | ||
| client certificate and key. | ||
| - Consider restricting access to the the etcd port at a network level, to only allow access |
There was a problem hiding this comment.
| - Consider restricting access to the the etcd port at a network level, to only allow access | |
| - Consider restricting access to the etcd port at a network level, to only allow access |
|
|
||
| If a static Pod fails admission control, the kubelet won't register the Pod with the | ||
| API server. However, the Pod still runs on the node. For more information, refer to | ||
| [kubeadm issue #1541](https://github.com/kubernetes/kubeadm/issues/1541#issuecomment-487331701)). |
There was a problem hiding this comment.
| [kubeadm issue #1541](https://github.com/kubernetes/kubeadm/issues/1541#issuecomment-487331701)). | |
| [kubeadm issue #1541](https://github.com/kubernetes/kubeadm/issues/1541#issuecomment-487331701). |
| access to this location could modify the configuration of static pods loaded from that | ||
| source, or could introduce new static Pods. | ||
|
|
||
| Static Pods are restricted from accessing other objects in the Kubernetes API . For example, |
There was a problem hiding this comment.
| Static Pods are restricted from accessing other objects in the Kubernetes API . For example, | |
| Static Pods are restricted from accessing other objects in the Kubernetes API. For example, |
| bypass controls that detect or prevent certain actions. | ||
|
|
||
| The kubelet API can be configured to authenticate requests in a number of ways. | ||
| By default, the kubelet configuration allows anonymous access. Most Kubernetes providers |
There was a problem hiding this comment.
From the kubelet doc we can find:
--anonymous-auth Default: true
Enables anonymous requests to the Kubelet server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See kubelet-config-file for more information.)
I remember reading that anonymous access is granted by default only with this deprecated flag but if you use the --config flag then the default is different. Have I dreamed it?
| ## The etcd API | ||
|
|
||
| Kubernetes clusters use etcd as a datastore. The `etcd` service listens on TCP port 2379. | ||
| the only clients that need access are the Kubernetes API server and any backup tooling |
There was a problem hiding this comment.
+1 to shannonxtreme comment for the uppercase.
| from specified and trusted IP address ranges. | ||
|
|
||
|
|
||
| ## Container runtime socket {#runtime-socket} |
There was a problem hiding this comment.
I would have put maybe this section near the static pods one because these are quite similar bypasses but I don't know if it's super relevant/important.
| take other security sensitive actions, such as using `hostPath` mounts from the underlying | ||
| node. |
There was a problem hiding this comment.
This feels reasonable until we have a page about managing risk associated with hostPath volumes.
|
I'd like to get a tech review from SIG Auth or SIG Security (or anyone else who's willing to state they've given this PR appropriate scrutiny). Even if there are nits, let's look to see if we can merge this as-is and then file issues about any remaining details. |
I left a tech review lgtm for sig-auth at #35908 (review), I don't think there's been significant changes since then |
|
Great - thanks @liggitt /lgtm /approve |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: e086206218b07456afbb08f4947e48b80b839658
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim, shannonxtreme The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
This is a new documentation page for the Security Concepts section, looking at the risks of attackers bypassing the Kubernetes API server.
We've been working on this in Kubernetes SIG-Security docs (issue here)
cc @savitharaghunathan @sftim