mirror of https://github.com/easzlab/kubeasz.git
28 lines
1.4 KiB
Markdown
28 lines
1.4 KiB
Markdown
|
# 修复kubelet默认允许匿名访问
|
|||
|
|
|
|||
|
|
kubelet默认启动参数`--anonymous-auth=true`风险非常大,黑客可以在集群中植入挖坑程序,甚至通过这个漏洞获取宿主系统root权限。
|
|||
|
|
感谢 `cqspirit` [PR #192](https://github.com/gjmzj/kubeasz/pull/192) 提醒
|
|||
|
|
|
|||
|
|
## 关于漏洞的危害
|
|||
|
|
|
|||
|
|
据我所知k8s v1.5+ 所有版本的kubelet组件的默认启动参数是允许匿名访问kubelet的(默认的大坑),你可以使用如下命令检查你的集群:
|
|||
|
|
`curl -sk https://$NODE_IP:10250/runningpods/`
|
|||
|
|
- 如果返回了运行的pod信息,说明是允许匿名访问的,
|
|||
|
|
- 如果返回`Unauthorized`,说明是安全的
|
|||
|
|
|
|||
|
|
部分关于该漏洞的讨论参考如下:
|
|||
|
|
- [Kubernetes-From-Container-To-Cluster](https://raesene.github.io/blog/2016/10/08/Kubernetes-From-Container-To-Cluster/)
|
|||
|
|
- [Analysis of a Kubernetes hack -- Backdooring through kubelet](https://www.reddit.com/r/netsec/comments/847994/analysis_of_a_kubernetes_hack_backdooring_through/)
|
|||
|
|
- [kubelet-exploit](https://github.com/kayrus/kubelet-exploit)
|
|||
|
|
|
|||
|
|
## 漏洞的修复
|
|||
|
|
|
|||
|
|
最新代码已经修复,参考[官方文档说明](https://kubernetes.io/docs/admin/kubelet-authentication-authorization/),已有集群可以登陆`deploy`节点操作如下:
|
|||
|
|
``` bash
|
|||
|
|
$ cd /etc/ansible
|
|||
|
|
$ git pull origin master
|
|||
|
|
$ ansible-playbook -t upgrade_k8s 04.kube-master.yml
|
|||
|
|
$ ansible-playbook -t upgrade_k8s 05.kube-node.yml
|
|||
|
|
```
|
|||
|
|
|