Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Reqest: Don't bind the admin.conf user to system:masters #2414

Closed
6 tasks done
raesene opened this issue Mar 19, 2021 · 17 comments
Closed
6 tasks done

Feature Reqest: Don't bind the admin.conf user to system:masters #2414

raesene opened this issue Mar 19, 2021 · 17 comments
Assignees
@neolit123
Labels
area/security kind/documentation Categorizes issue or PR as related to documentation. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Milestone
v1.31

Comments

@raesene
Copy link

raesene commented Mar 19, 2021
edited by neolit123
Loading

edit by neolit123

tasks for 1.29

tasks for 1.30

original issue description

At the moment, when a new Kubeadm cluster is created, the default credential that is provided for cluster operators to use has a subject group of system:masters. e.g.

Subject: O = system:masters, CN = kubernetes-admin

This is a special group for which cluster-admin rights are hardcoded into the Kubernetes API server source code (https://github.com/kubernetes/kubernetes/blob/master/pkg/registry/rbac/escalation_check.go#L38).

As a result, this credential cannot be revoked, if a cluster operator loses control of it, or if one of their admins moves team or leaves the organization, the only way to revoke access completely is to rotate the cluster certificate authority keys.

Whilst Kubernetes in general doesn't currently support certificate revocation (kubernetes/kubernetes#18982) it could be possible to reduce the risk posed by a lost admin.conf file, by having a specific clusterrolebinding for the admin.conf user to the cluster-admin clusterrole.

This would allow cluster operators to largely revoke the rights assigned to that credential, by removing the binding. It would still have system:authenticated rights, but these are likely (in most clusters) to be significantly lower than cluster-admin.
@neolit123
Copy link
Member

the admin.conf is like a root password...it must not be shared.
given i've seen a few cases where users share the file, i'm going to create a PR to make this very clear in https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/.

it makes perfect sense for a deployer on cluster creation to sign break-glass credentials and that is what the admin.conf is.

As a result, this credential cannot be revoked, if a cluster operator loses control of it, or if one of their admins moves team or leaves the organization, the only way to revoke access completely is to rotate the cluster certificate authority keys.

sharing the admin.conf in such a scenario is not ideal.
kubeadm gives you the kubeadm kubeconfig user command that can be used to create a kubeconfig for any user / group.

/kind documentation

@k8s-ci-robot k8s-ci-robot added the kind/documentation Categorizes issue or PR as related to documentation. label Mar 19, 2021
@neolit123 neolit123 added kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. area/security labels Mar 19, 2021
@neolit123 neolit123 added this to the v1.22 milestone Mar 19, 2021
@raesene
Copy link
Author

raesene commented Mar 19, 2021

With the lifetime on the certificate being a year, it seems likely that in many cases users who had valid access to the credential when the cluster was created, may no longer need access during that period.

I'd agree that admin.conf should be a break-glass credential, but it may benefit cluster operators to provide a mechanism for that credential to be revoked, given its lifetime.

@neolit123
Copy link
Member

With the lifetime on the certificate being a year, it seems likely that in many cases users who had valid access to the credential when the cluster was created, may no longer need access during that period.

you can also rotate the cluster CA, which will invalidate the system:master credentials.
https://kubernetes.io/docs/tasks/tls/manual-rotation-of-ca-certificates/

I'd agree that admin.conf should be a break-glass credential, but it may benefit cluster operators to provide a mechanism for that credential to be revoked, given its lifetime.

that is a kubernetes problem, since revocation is not supported in core.
kubernetes/kubernetes#18982

something that we can improve with respect to kubeadm admin credentials is to sign two files:

  • admin.conf: doesn't use system:masters but still has super powers
  • superadmin.conf: uses system:masters and is the break-glass credential
    but this change needs a KEP / proposal and might not land anytime soon. i don't think i will have time for it in 1.22.

@neolit123
Copy link
Member

/assign
assigning myself to make it very clear what admin.conf is in https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/

@neolit123 neolit123 mentioned this issue Mar 19, 2021
Merged
@neolit123
Copy link
Member

@raesene please add LGTM to this PR:
kubernetes/website#27141

@raesene
Copy link
Author

raesene commented Mar 22, 2021

done :)

@mlbiam
Copy link

mlbiam commented Jun 2, 2021

Would an off-line CA that could issue break-glass admin certs be more secure? you still have a "root" credential in the off-line CA that you would need to protect, but could issue shorter lived/time boxed admin.conf certs that could be controlled through other means.

@neolit123 neolit123 modified the milestones: v1.22, v1.23 Jul 5, 2021
@arianvp
Copy link

arianvp commented Jul 19, 2021

Would perhaps be useful to also put the suggestion of kubeadm kubeconfig user command in the output of kubeadm init as well so people really do not download it

@neolit123
Copy link
Member

Would an off-line CA that could issue break-glass admin certs be more secure? you still have a "root" credential in the off-line CA that you would need to protect, but could issue shorter lived/time boxed admin.conf certs that could be controlled through other means.

by off-line do you mean a CA that the cluster components and kubeadm are not aware of, such as a root CA of the user org?
if yes, i don't think signing the system:masters credentials with it would work.
it must be signed with the intermediate CA that is passed to the cluster and if the credential leaks the same intermediate CA must be rotated (since, no revocation in k8s).

Would perhaps be useful to also put the suggestion of kubeadm kubeconfig user command in the output of kubeadm init as well so people really do not download it

there is a warning for that on this page:
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/

Warning: Kubeadm signs the certificate in the admin.conf to have Subject: O = system:masters, CN = kubernetes-admin. system:masters is a break-glass, super user group that bypasses the authorization layer (e.g. RBAC). Do not share the admin.conf file with anyone and instead grant users custom permissions by generating them a kubeconfig file using the kubeadm kubeconfig user command.

but a message for that in the output of "init" seems fine for 1.23. PRs welcome.
we are currently in code freeze for 1.22.

@arianvp
Copy link

arianvp commented Jul 20, 2021

Excellent. I'll draft a PR.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 18, 2021
@neolit123
Copy link
Member

/lifecycle frozen
/unassign

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Oct 18, 2021
@neolit123 neolit123 modified the milestones: v1.23, v1.24 Nov 23, 2021
@neolit123 neolit123 modified the milestones: v1.24, v1.25 Mar 29, 2022
@neolit123 neolit123 removed this from the v1.25 milestone May 11, 2022
This was referenced Oct 17, 2023
Merged
Merged
@neolit123 neolit123 added lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. and removed lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. labels Oct 31, 2023
This was referenced Oct 31, 2023
Merged
Merged
Merged
Merged
@neolit123 neolit123 modified the milestones: v1.29, v1.30 Nov 1, 2023
This was referenced Nov 1, 2023
Merged
Merged
Merged
This was referenced Nov 10, 2023
Merged
Merged
Merged
@louhisuo louhisuo mentioned this issue Dec 19, 2023
Open
@prezha prezha mentioned this issue Jan 10, 2024
Merged
11 tasks
@HirazawaUi HirazawaUi mentioned this issue Jan 15, 2024
Merged
@wallrj wallrj mentioned this issue Jan 17, 2024
Merged
@pacoxu
Copy link
Member

pacoxu commented Feb 6, 2024

New TestGrid alerts at sig-cluster-lifecycle-kubeadm#kubeadm-kinder-super-admin-latest since commit/dbd3f3564.

--------------------------------------------------------------------------------
task-09-post-upgrade-primary-cp
Run commands after kubeadm upgrade is called on the primary CP node

command : /bin/bash -c set -x
CMD="docker exec kinder-super-admin-control-plane-1"

# Both admin.conf and super-admin.conf must exist
${CMD} test -f /etc/kubernetes/admin.conf || exit 1
${CMD} test -f /etc/kubernetes/super-admin.conf || exit 1

# Check certificate subject for .conf files
${CMD} grep 'client-certificate-data' /etc/kubernetes/admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = kubeadm:cluster-admins, CN = kubernetes-admin" || exit 1
${CMD} grep 'client-certificate-data' /etc/kubernetes/super-admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = system:masters, CN = kubernetes-super-admin" || exit 1

# Check certificate subject for apiserver-kubelet-client.crt
${CMD} openssl x509 -subject -noout -in /etc/kubernetes/pki/apiserver-kubelet-client.crt | grep "subject=O = kubeadm:cluster-admins, CN = kube-apiserver-kubelet-client" || exit 1

# Check if the admin.conf user still has RBAC permissions
${CMD} kubectl -n kube-system --kubeconfig /etc/kubernetes/admin.conf get cm kubeadm-config || exit 1

# Ensure exit status of 0
exit 0

timeout : 5m0s
force   : false
--------------------------------------------------------------------------------

+ CMD='docker exec kinder-super-admin-control-plane-1'
+ docker exec kinder-super-admin-control-plane-1 test -f /etc/kubernetes/admin.conf
+ docker exec kinder-super-admin-control-plane-1 test -f /etc/kubernetes/super-admin.conf
+ exit 1

We may update the CI after we removed some logics in kubernetes/kubernetes#122786.
Do I understand it correctly? @HirazawaUi @neolit123

@neolit123
Copy link
Member

neolit123 commented Feb 6, 2024
edited
Loading

We may update the CI after we removed some logics in kubernetes/kubernetes#122786.
Do I understand it correctly? @HirazawaUi @neolit123

yes, we need to update the test a little.
i will send a PR.

@neolit123 neolit123 mentioned this issue Feb 6, 2024
Merged
@neolit123
Copy link
Member

We may update the CI after we removed some logics in kubernetes/kubernetes#122786.
Do I understand it correctly? @HirazawaUi @neolit123

yes, we need to update the test a little. i will send a PR.

PR
#3012

@neolit123 neolit123 modified the milestones: v1.30, v1.31 Apr 5, 2024
@neolit123
Copy link
Member

this is done

@neolit123 neolit123 mentioned this issue Jul 6, 2024
Closed
@ralgozino ralgozino mentioned this issue Jul 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neolit123 neolit123

Labels
area/security kind/documentation Categorizes issue or PR as related to documentation. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Milestone
v1.31
Development

No branches or pull requests
7 participants
@raesene @neolit123 @arianvp @pacoxu @mlbiam @k8s-ci-robot @k8s-triage-robot