Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubelet: block non-forwarded packets from crossing the localhost boundary #91569

Merged
merged 1 commit into from Jun 1, 2020
Merged

kubelet: block non-forwarded packets from crossing the localhost boundary #91569

merged 1 commit into from Jun 1, 2020

Conversation

squeed
Copy link
Contributor

@squeed squeed commented May 29, 2020
edited

We set route_localnet so that host-network processes can connect to 127.0.0.1:NodePort and it still works. This, however, is too permissive.

So, block martians that are not already in conntrack.

What type of PR is this?
/kind bug

What this PR does / why we need it:
As outlined in #90259, blindly setting route_localnet is too permissive. We need to ensure that only packets we want can pass the martian boundary.

Which issue(s) this PR fixes:
Fixes #90259

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. kind/bug Categorizes issue or PR as related to a bug. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels May 29, 2020
@squeed
Copy link
Contributor Author

squeed commented May 29, 2020

/sig network

@k8s-ci-robot k8s-ci-robot added sig/network Categorizes an issue or PR as relevant to SIG Network. area/kubelet sig/node Categorizes an issue or PR as relevant to SIG Node. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels May 29, 2020
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label May 29, 2020
@squeed
Copy link
Contributor Author

squeed commented May 29, 2020

/cc @danwinship

@squeed
Copy link
Contributor Author

squeed commented May 29, 2020

/test pull-kubernetes-e2e-kind

bboreham
bboreham approved these changes May 29, 2020
View reviewed changes
Copy link
Contributor

@bboreham bboreham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@squeed
Copy link
Contributor Author

squeed commented May 29, 2020

This is a bit of an awkward fix to wedge in.

Kubelet isn't actually responsible for setting this sysctl flag. Rather, it's set by kube-proxy and by the CNI port-forward plugin.

However, kubelet owns the KUBE-FIREWALL chain, so it's not unreasonable to add the rule here.

@squeed
kubelet: block non-forwarded packets from crossing the localhost boun…
8bed088 
…dary

We set route_localnet so that host-network processes can connect to
<127.0.0.1:NodePort> and it still works. This, however, is too
permissive.

So, block martians that are not already in conntrack.

See: kubernetes#90259
Signed-off-by: Casey Callendrello <cdc@redhat.com>
@bboreham bboreham mentioned this pull request May 29, 2020
Closed
@matthyx
Copy link
Contributor

matthyx commented May 30, 2020

/lgtm
/priority important-soon
/assign @derekwaynecarr

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels May 30, 2020
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 30, 2020
@danwinship
Copy link
Contributor

However, kubelet owns the KUBE-FIREWALL chain, so it's not unreasonable to add the rule here.

I think @thockin said he wanted to have kubelet doing less networking setup. But as long as this is adding the new setup code to kubelet_network_linux.go rather than somewhere else, it can get cleaned up with the rest later when we figure out where to put it...

@derekwaynecarr
Copy link
Member

/approve
/lgtm

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: derekwaynecarr, squeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 1, 2020
@k8s-ci-robot k8s-ci-robot merged commit 5bcc33e into kubernetes:master Jun 1, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.19 milestone Jun 1, 2020
@champtar
Copy link
Contributor

champtar commented Jun 1, 2020

@squeed Isn't the merged commit allowing packets from say 127.127.127.127 or 127.0.0.1 to 127.0.0.1 to go through ? (if we want to attack a localhost udp service and don't care about the responses)
Don't we want something like:

iptables -A KUBE-FIREWALL ! -i lo --dst 127.0.0.0/8 -m conntrack ! --ctstate 'RELATED,ESTABLISHED,DNAT' -j DROP

@squeed
Copy link
Contributor Author

squeed commented Jun 2, 2020
edited

@champtar that's a very good point. A quick test with cnitool and nping shows that your propsed rule has the desired effect.

I'll file a follow-up PR.

@squeed squeed mentioned this pull request Jun 2, 2020
Closed
@joelsmith
Copy link
Contributor

/cherrypick release-1.18
/cherrypick release-1.17
/cherrypick release-1.16

This was referenced Jun 11, 2020
Merged
Merged
Merged
Merged
@joelsmith joelsmith mentioned this pull request Jul 8, 2020
Closed
@thockin thockin mentioned this pull request Jul 10, 2020
Merged
@aojea aojea mentioned this pull request Mar 13, 2021
Closed
@tnqn tnqn mentioned this pull request Aug 26, 2021
Merged
@aojea aojea mentioned this pull request Feb 24, 2022
Merged
@polarathene polarathene mentioned this pull request May 26, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bboreham bboreham bboreham approved these changes

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr

@matthyx matthyx Awaiting requested review from matthyx

@danwinship danwinship Awaiting requested review from danwinship

Assignees

@derekwaynecarr derekwaynecarr

@matthyx matthyx

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.19
Development

Successfully merging this pull request may close these issues.

net.ipv4.conf.all.route_localnet=1 opens security issue
8 participants
@squeed @matthyx @danwinship @derekwaynecarr @k8s-ci-robot @champtar @joelsmith @bboreham