Skip to content

Harden exec requests against SSRF #1898

New issue
New issue
Closed
Closed
Harden exec requests against SSRF#1898
Assignees
tallclair
Labels
lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.sig/nodeCategorizes an issue or PR as relevant to SIG Node.stage/alphaDenotes an issue tracking an enhancement targeted for Alpha statustracked/noDenotes an enhancement issue is NOT actively being tracked by the Release Team
@tallclair

Description

@tallclair
tallclair
opened on Jul 15, 2020

Enhancement Description

  • One-line enhancement description (can be used as a release note): Harden exec requests against SSRF by preventing command modification through URL parameters and GET requests.
  • Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/1898-hardened-exec
  • Primary contact (assignee): @tallclair
  • Responsible SIGs: sig-node, sig-api-machinery
  • Enhancement target (which target equals to which milestone):
    • Alpha release target: v1.20
    • Beta release target (x.y)
    • Stable release target (x.y)

Roadmap Summary:

  • v1.20
    • Update PodExecOptions with pod reference
    • Update Kubelet API (protected by DeprecatedKubeletStreamingAPI)
      • Remove the kubelet's /run and UID-specific endpoints
      • Require POST request for kubelet streaming endpoints
      • Require options in request body
    • Update kube-apiserver
      • Always use POST for streaming requests to Kubelet
      • Send options in request body (but also query params)
      • Require POST with request body for non-websocket exec requests, guarded by alpha HardenedExecRequests
    • Update clients to send exec POST requests with options in the body (and also in query params)
      • go client (+kubectl?)
      • ...
    • Expand E2E test coverage - https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/1898-hardened-exec#test-plan

Metadata

Metadata

Assignees

Labels

lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.sig/nodeCategorizes an issue or PR as relevant to SIG Node.stage/alphaDenotes an issue tracking an enhancement targeted for Alpha statustracked/noDenotes an enhancement issue is NOT actively being tracked by the Release Team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions