Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harden exec requests against SSRF #1898

Closed
13 tasks
tallclair opened this issue Jul 15, 2020 · 24 comments
Closed
13 tasks

Harden exec requests against SSRF #1898

tallclair opened this issue Jul 15, 2020 · 24 comments
Assignees
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/node Categorizes an issue or PR as relevant to SIG Node. stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team

Comments

@tallclair
Copy link
Member

tallclair commented Jul 15, 2020

Enhancement Description

  • One-line enhancement description (can be used as a release note): Harden exec requests against SSRF by preventing command modification through URL parameters and GET requests.
  • Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/1898-hardened-exec
  • Primary contact (assignee): @tallclair
  • Responsible SIGs: sig-node, sig-api-machinery
  • Enhancement target (which target equals to which milestone):
    • Alpha release target: v1.20
    • Beta release target (x.y)
    • Stable release target (x.y)

Roadmap Summary:

  • v1.20
    • Update PodExecOptions with pod reference
    • Update Kubelet API (protected by DeprecatedKubeletStreamingAPI)
      • Remove the kubelet's /run and UID-specific endpoints
      • Require POST request for kubelet streaming endpoints
      • Require options in request body
    • Update kube-apiserver
      • Always use POST for streaming requests to Kubelet
      • Send options in request body (but also query params)
      • Require POST with request body for non-websocket exec requests, guarded by alpha HardenedExecRequests
    • Update clients to send exec POST requests with options in the body (and also in query params)
      • go client (+kubectl?)
      • ...
    • Expand E2E test coverage - https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/1898-hardened-exec#test-plan
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Jul 15, 2020
@tallclair
Copy link
Member Author

tallclair commented Jul 15, 2020

/sig node
/sig api-machinery

For motivation, see kubernetes/kubernetes#92914

@k8s-ci-robot k8s-ci-robot added sig/node Categorizes an issue or PR as relevant to SIG Node. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jul 15, 2020
@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented Sep 13, 2020

Hi @tallclair

Enhancements Lead here. Please update us once your KEP is up and please confirm that this is going to be alpha in 1.20.

Thanks!
Kirsten

@tallclair
Copy link
Member Author

tallclair commented Sep 17, 2020

KEP is here: #1899, expecting reviews next week.
Planning alpha implementation in v1.20, expecting KEP reviews next week.
/milestone v1.20

@k8s-ci-robot k8s-ci-robot added this to the v1.20 milestone Sep 17, 2020
@tallclair tallclair self-assigned this Sep 17, 2020
@kikisdeliveryservice kikisdeliveryservice added stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Sep 17, 2020
@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented Sep 17, 2020

Thanks! Added to tracking sheet. Also updated description above to add the KEP PR link. 👍

@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented Sep 17, 2020

Also, as a reminder to be included in a release:

The KEP must be merged in an implementable state <-- yours is currently provisional, so don't forget to update this by enhancements freeze which is currently October 6th.
The KEP must have test plans
The KEP must have graduation criteria.

@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented Oct 2, 2020

Hi @tallclair

As a reminder October 6th is Enhancements Freeze. Thanks for the PR! It is missing graduation criteria for the current alpha milestone. Please update the KEP so that it can meet the required criteria and merge by next Tuesday.

Thanks!
Kirsten

@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented Oct 5, 2020

Double checked and the PR is now complete, so we're just waiting for it to get merged.

@kendallroden
Copy link
Contributor

kendallroden commented Oct 12, 2020

Hey @tallclair!

Since your Enhancement is scheduled to be in 1.20, please keep in mind the important upcoming dates:
Friday, Nov 6th: Week 8 - Docs Placeholder PR deadline
Thursday, Nov 12th: Week 9 - Code Freeze

As a reminder, please link all of your k/k PR as well as docs PR to this issue so we can track them.

Thanks so much,

Kendall

@reylejano
Copy link
Member

reylejano commented Oct 19, 2020

Hello @tallclair , 1.20 Docs shadow here.

Does this enhancement work planned for 1.20 require any new docs or modification to existing docs?

If so, please follows the steps here to open a PR against the dev-1.20 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Nov 6th.

Also take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

@tallclair
Copy link
Member Author

tallclair commented Oct 27, 2020

I don't think this needs any docs beyond the release notes & auto-generated API reference.

@annajung
Copy link
Member

annajung commented Nov 2, 2020

Hi @tallclair

Please keep in mind the important upcoming dates:

As a reminder, please link all of your k/k PR as well as docs PR to this issue for the release team to track.

@kendallroden
Copy link
Contributor

kendallroden commented Nov 2, 2020

Hey @tallclair, I think I found at least one of the k/k PRs for this feature (#94115) - do you mind linking it to the issue for tracking?

Thanks,

Kendall

@tallclair
Copy link
Member Author

tallclair commented Nov 2, 2020

@kendallroden That PR is unrelated to this feature. There aren't any PRs opened for this yet, since they're blocked by kubernetes/kubernetes#95935. I'm hoping to get the PRs out today or tomorrow.

@tallclair
Copy link
Member Author

tallclair commented Nov 5, 2020

Looks like this is not going to make the code freeze cutoff.

/milestone v1.21

@k8s-ci-robot k8s-ci-robot modified the milestones: v1.20, v1.21 Nov 5, 2020
@kikisdeliveryservice kikisdeliveryservice added tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team and removed tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Nov 5, 2020
@JornShen
Copy link
Member

JornShen commented Nov 12, 2020

@tallclair May I join it? Maybe I can do some task on it.

@tallclair
Copy link
Member Author

tallclair commented Nov 14, 2020

Unfortunately this slipped to v1.21, but I would greatly appreciate any help with getting it out next release! You can see my WIP PR here: kubernetes/kubernetes#96188. It's totally broken at the moment, and I haven't had a chance to debug it yet. I think it has something to do with closing or not connecting the request bodies.

@JornShen
Copy link
Member

JornShen commented Dec 1, 2020

Unfortunately this slipped to v1.21, but I would greatly appreciate any help with getting it out next release! You can see my WIP PR here: kubernetes/kubernetes#96188. It's totally broken at the moment, and I haven't had a chance to debug it yet. I think it has something to do with closing or not connecting the request bodies.

@tallclair

All right. I 'll take a detail look recently. :)

@annajung
Copy link
Member

annajung commented Feb 10, 2021

Hi @tallclair, 1.21 Enhancements Lead here.

I'm clearing the milestone to reflect that this enhancement was not entered into the tracking sheet before the enhancements freeze, therefore not opting into the 1.21 release.

/milestone clear

@k8s-ci-robot k8s-ci-robot removed this from the v1.21 milestone Feb 10, 2021
@fejta-bot
Copy link

fejta-bot commented May 11, 2021

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 11, 2021
@tallclair
Copy link
Member Author

tallclair commented May 11, 2021

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 11, 2021
@k8s-triage-robot
Copy link

k8s-triage-robot commented Aug 9, 2021

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 9, 2021
@k8s-triage-robot
Copy link

k8s-triage-robot commented Sep 8, 2021

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Sep 8, 2021
@k8s-triage-robot
Copy link

k8s-triage-robot commented Oct 8, 2021

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Oct 8, 2021

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/node Categorizes an issue or PR as relevant to SIG Node. stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team
Projects
None yet
Development

No branches or pull requests

9 participants