Remove access to cluster from anonymous users #11016
Conversation
k8s-ci-robot
added
kind/feature
|
Hi @nicolas-goudry. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
|
Hi, thanks for your contribution! This looks great! The CI failure seems somewhat related though, so it seems to break a normal install right now :/. To accept this I would like to have one of the e2e scenario where this new feature would be enabled and that Also small nit but looking at the other variables they are all prefixed by |
I’ll take a look at this ASAP.
I’ll have to check how the e2e scenarios are handled, is there any documentation on this? I looked at the repository files and couldn’t find where the tests are located, would be great if you could point me toward them 🙂 As for enabling this option along with
Fair point, I’ll rename it to |
Sure, so the ansible variables are passed in
Ah! I assumed you were interested to allow disabling anonymous access entirely (fyi this option has been broken for years at this point). Not entirely sure about "only" removing |
Nice, I’ll give it a look.
Maybe this is the way to go. I mean: fixing the I’ll let you know how things go. |
|
Here are the detailed step I performed in order to be able to install a cluster with the The first issue was that upon cluster initialization, the secondary control plane nodes failed to join the cluster since Since the API server is not ready yet at this stage, we can’t rely on Then, another issue arose. This task tries to reach the Lastly, the files changed in this PR had to be tweaked a bit so that the remaining nodes could join the cluster using the file discovery join process. Since the API server is ready at this point, we can rely on The main issue now is that the API server can't probe itself since it’s trying to call itself on the You can see the involved changes here. IMO, having the possibility to somewhat “secure” the cluster by removing any clusterrole/role associated to anonymous users is at least a first (small) step in the right direction. WDYT? |
nicolas-goudry
force-pushed
the
add-optional-kubeadm-file-discovery
branch
from
ebfa2b1
to
1c2ee7d
Compare
Thanks you, it was very insightful 🙏. Now we now exactly why we can't support that as upstream said "you are on your own" 😅.
Sure, just a small followup question, is that all that is required to remove the clusterrole? Meaning that kubeadm won't create it with your patch as is, or do you need to create another task that does |
|
I didn’t find any way to prevent kubeadm from creating the role. AFAICT, it seems to be a “hardcoded” part of its workflow. Indeed, we would have to create another task to remove the role ourselves. I need to perform more tests in order to make sure that nothing would be broken by this (ie. scale, upgrade). If we decide to implement this, don’t you think we should have a more user-friendly option? Something like
|
Hmm I don't think it would be that meaningful to do one of those two things without the other so I guess that seems quite sensible, not sure about the naming though. it may depends in what role you would be doing this as well, let's see. Another option would be to have two variables and one of those two would default to the other one (i.e. |
nicolas-goudry
force-pushed
the
add-optional-kubeadm-file-discovery
branch
from
1c2ee7d
to
ca12384
Compare
|
I checked the
So I decided to implement this new feature by introducing a user-facing variable This variable controls the removal of the Since at this point anonymous users don’t have permission to read the I tested these changes by performing a cluster installation, followed by a graceful upgrade of said cluster as well as a scale up by adding a new node. Please let me know if you wish me to perform more tests. I also took the liberty to add a warning comment above the One thing to note is that currently the kubeconfig used for |
k8s-ci-robot
added
size/M
|
/unhold |
k8s-ci-robot
removed
the
do-not-merge/hold
nicolas-goudry
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
Well the kubeconfig is taken from a cluster-info that was previously public and those same info would also exists on similar files in the config dir so I don't think it truly matter to remove it. Even removing it could cause harm to debugging sessions when one would like to launch kubeadm outside of kubespray. |
I’ll work on this tomorrow and remove the draft state once it’s done 🙂
Fair point! I’ll keep this as-is then. |
nicolas-goudry
force-pushed
the
add-optional-kubeadm-file-discovery
branch
from
cc08560
to
c8631e3
Compare
Yeah, I figured that, it needs a variable in order to be run, so I removed the option from this test.
Thanks for the details! In the end I enabled the option in three test cases:
If all tests pass, this should be ready for a last review 🙂 |
k8s-ci-robot
added
the
lgtm
|
Thanks @nicolas-goudry |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: MrFreezeex, mzaian, nicolas-goudry The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
@nicolas-goudry Can this be enabled by default? Or at least documented in |
|
Hi sathieu, I would leave like that but of course we need to add it to the |
* feat: add user facing variable with default * feat: remove rolebinding to anonymous users after init and upgrade * feat: use file discovery for secondary control plane nodes * feat: use file discovery for nodes * fix: do not fail if rolebinding does not exist * docs: add warning about kube_api_anonymous_auth * style: improve readability of delegate_to parameter * refactor: rename discovery kubeconfig file * test: enable new variable in hardening and upgrade test cases * docs: add option to config parameters * test: multiple instances and upgrade
* feat: add user facing variable with default * feat: remove rolebinding to anonymous users after init and upgrade * feat: use file discovery for secondary control plane nodes * feat: use file discovery for nodes * fix: do not fail if rolebinding does not exist * docs: add warning about kube_api_anonymous_auth * style: improve readability of delegate_to parameter * refactor: rename discovery kubeconfig file * test: enable new variable in hardening and upgrade test cases * docs: add option to config parameters * test: multiple instances and upgrade
* feat: add user facing variable with default * feat: remove rolebinding to anonymous users after init and upgrade * feat: use file discovery for secondary control plane nodes * feat: use file discovery for nodes * fix: do not fail if rolebinding does not exist * docs: add warning about kube_api_anonymous_auth * style: improve readability of delegate_to parameter * refactor: rename discovery kubeconfig file * test: enable new variable in hardening and upgrade test cases * docs: add option to config parameters * test: multiple instances and upgrade
* feat: add user facing variable with default * feat: remove rolebinding to anonymous users after init and upgrade * feat: use file discovery for secondary control plane nodes * feat: use file discovery for nodes * fix: do not fail if rolebinding does not exist * docs: add warning about kube_api_anonymous_auth * style: improve readability of delegate_to parameter * refactor: rename discovery kubeconfig file * test: enable new variable in hardening and upgrade test cases * docs: add option to config parameters * test: multiple instances and upgrade
What type of PR is this?
/kind feature
What this PR does / why we need it:
For context, the current way Kubespray is dealing with
kubeadmwhen adding a new node to the cluster is to rely on thecluster-infoconfigmap. While this is working fine, it requires a role bound to anonymous users. This is described in the official documentation.This PR adds an opt-in option
remove_anonymous_accessallowing users to get rid of the rolebinding linked to anonymous users, while ensuring kubeadm will continue to work fine by leveraging the file discovery feature.When this option is
true, the join process will not rely on reading thecluster-infoconfigmap as an anonymous user. Instead the configmap will be read from the first control plane node, stored in a variable and wrote on the target node. TheJoinConfigurationwill then use thediscovery.file.kubeConfigPathoption instead ofdiscovery.bootstrapToken.Which issue(s) this PR fixes:
None.
Special notes for your reviewer:
This is a proposal, please challenge it, as well as its implementation (which is very naive and surely error prone).
If this proposal is accepted, I’ll add the relevant documentation.
Does this PR introduce a user-facing change?: