kubeasz/docs/mixes/01.fix_kubelet_annoymous_ac...

25 lines
1.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

# 修复kubelet默认允许匿名访问
kubelet默认启动参数`--anonymous-auth=true`风险非常大黑客可以在集群中植入挖坑程序甚至通过这个漏洞获取宿主系统root权限。感谢 `cqspirit` [PR #192](https://github.com/easzlab/kubeasz/pull/192) 提醒
## 关于漏洞的危害
据我所知k8s v1.5+ 所有版本的kubelet组件的默认启动参数是允许匿名访问kubelet的默认的大坑你可以使用如下命令检查你的集群
`curl -sk https://$NodeIP:10250/runningpods/`
- 如果返回了运行的pod信息说明是允许匿名访问的
- 如果返回`Unauthorized`,说明是安全的
部分关于该漏洞的讨论参考如下:
- [kubelet-exploit](https://github.com/kayrus/kubelet-exploit)
- [Kubernetes-From-Container-To-Cluster](https://raesene.github.io/blog/2016/10/08/Kubernetes-From-Container-To-Cluster/)
- [Analysis of a Kubernetes hack -- Backdooring through kubelet](https://www.reddit.com/r/netsec/comments/847994/analysis_of_a_kubernetes_hack_backdooring_through/)
## 漏洞的修复
最新代码已经修复,参考[官方文档说明](https://kubernetes.io/docs/admin/kubelet-authentication-authorization/)已有集群可以登录ansible控制端操作如下
``` bash
$ cd /etc/ansible
$ git pull origin master
$ ansible-playbook 22.upgrade.yml -t restart_master,restart_node
```