Securing the cluster created by Juju

[ktsakalozos]

What this PR does / why we need it: This PR secures the deployments done with Juju master. Works around certain security issues inherent to kubernetes (see for example dashboard access)

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

Release note:

Securing Juju kubernetes dashboard

[k8s-ci-robot]

Hi @ktsakalozos. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with @k8s-bot ok to test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[Cynerva]

kubernetes-my-worker -> kubernetes-worker? Pretty sure the worker in this example is coming from juju deploy kubernetes-core, hence it would get the default name.

[Cynerva]

Err, backing up -- this should be relating e2e to master, not worker to master

[ktsakalozos]

Yeap, my mistake. Thank you

[lazypower]

I think HTTP here is the interface name, not the relation name. That's unclear. Perhaps scope it properly in juju terms?

kubernetes-master:http

[ktsakalozos]

Done

[lazypower]

Same here, change the output to kubernetes-master:kube-control

[ktsakalozos]

Done

[Cynerva]

Could removing the @when_not('authentication.setup') decorator here result in a 5 minute delay?:

1. setup_non_leader_authentication handler runs
2. password_changed handler runs, removes authentication.setup state
3. reactive does not dispatch setup_non_leader_authentication handler again until the next hook

I'm having trouble reasoning through the specific outcome of that, but we've had similar problems with delays caused by using is_state in combination with state-based dispatch.

[ktsakalozos]

That's a good catch! The password update flow should should go like this:

• User sets new passowrd
• Leader grabs the password and propagates to non-leaders
• Leader restarts
• Non-leaders get the new password and restart.

You will notice I added the 'leadership.is_leader' on the password_changed() so that only the leader acts on password change.

To your question, I think the change of leadership data will trigger the reactive framework on the non-leaders in a timely fashion so there will not be the 5 minute wait.

[Cynerva]

Should setup_leader_authentication remove this state too?

[ktsakalozos]

Yes we can do that.

On the leader we have two triggers that cause a reconfiguration of the authentication 1) charm upgrade 2) password change. In both triggers we do

    remove_state('authentication.setup')
    remove_state('kubernetes-master.components.started')

On the non-leaders the reconfig of the authorisation is triggered after detecting a change on the leader. This is why I had the remove state there.

To make it homogeneous I added the remove state on the setup_leader_authentication and removed it from the upgrade and change password triggers.

[Cynerva]

Given that we're storing passwords in unitdata, what happens if we lose the leader unit? Will a password/token change when we wouldn't want it to?

[lazypower]

It would, this isn't getting syndicated.

[lazypower]

I wonder if its better form then to instead use leader-data to handle these values, and keep them as a mutable dict object, being mutated by the leader and subsequently leader_set() after update, so any future-facing leaders get the benefit of having this state tracked for them.

[ktsakalozos]

The last commit should address this. I got rid of the local db and everything is read from the token files after they have been synced with the leader

[Cynerva]

This surprises me -- are we getting two copies of the kube-control interface here?

[lazypower]

We are, each state thats set off of that interface, passes the interface into the method. It got me too when I was prototyping.

[Cynerva]

What happened here? If kubelet_opts.add('anonymous-auth', 'false') didn't work then we should probably fix that in FlagManager rather than work around it here.

[ktsakalozos]

I misunderstood how the snap options work. anonymous-auth=false will be ignored because it is not part of the config params. However, if I set the anonymous-auth to false it will not make it to the arguments list and it will take the default value of true. Opened this issue:
https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/314

I am going to remove the anonymous-auth option for now so as not to cause any confusion.

[lazypower]

Thanks for the submission konstantinos. Overall I think this is a great first-draft submission of the fix but there are some serious questions posed here relating to state distribution and upgrade paths for existing users who have certificate auth enabled (all of our existing deployments to date).

We'll need to sort those satisfactorily before I'm comfortable acking this change.

The majority of what's here is excellent though and I look forward to giving this a second round review once the requested modifications have been made.

[lazypower]

I wonder if its better form then to instead use leader-data to handle these values, and keep them as a mutable dict object, being mutated by the leader and subsequently leader_set() after update, so any future-facing leaders get the benefit of having this state tracked for them.

[lazypower]

Dont do this. You're making an explicit invocation of a method that is controlled by a decorator.

What I suggest is to move the messaging method into a non-decorated space in the source file, and write a new method declaration for invoking the messaging() method during the @when('kubernetes.e2e.installed') state is present, and you can then do this messaging() invocation inline like you have it (for guarantee of it being invoked when you expect it to be).

[ktsakalozos]

Done

[lazypower]

I agree that we need to remove this, but I don't think this doesn't do anything for existing deployments. Does this need to be explicitly checked and removed from the file? (i didn't notice that anywhere else in the code)

[ktsakalozos]

We remove the certificate from the kubeconfig file by un-setting the users section. Is this what you would expect? https://github.com/kubernetes/kubernetes/pull/47835/files#diff-25f2686437984f527090205ba417c242R158 . Do you have something else in mind?

[Cynerva]

I think the concern is that the client-ca-file entry might not be cleared from api_opts when upgrading an older deployment.

Thankfully, all flags get cleared during an upgrade-charm, so we're good: https://github.com/juju-solutions/kubernetes/blob/55525773cec50fa7510a9801c5c763e6ec6ad2ac/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py#L139-L141

Don't know why that's in migrate_from_pre_snaps, it really doesn't belong there. But hey, at least it's happening!

[lazypower]

We are, each state thats set off of that interface, passes the interface into the method. It got me too when I was prototyping.

[lazypower]

I'm not sure why this was removed. was this intentional?

[ktsakalozos]

The default value is already true:

--logtostderr log to standard error instead of files (default true)

Adding it back.

[Cynerva]

@k8s-bot ok to test

I'm +1 to this, not seeing any problems after the recent changes. @chuckbutler can you give it another look too?

[lazypower]

I've been following along and i'm +1 to this.

/lgtm

[marcoceppi]

/approve no-issue

[lazypower]

Ah I see there's still some dust settling here with respect to relationship scoping. I'm going to wait until you've signalled this PR is ready for re-review @ktsakalozos

[ktsakalozos]

@marcoceppi @chuckbutler I had to update this PR to align it with the changes done on the kube-control interface. Retested again and it looks strong. Thank you.

[ktsakalozos]

Since we got all comments addressed I am squashing the commits

[Cynerva]

/assign @Cynerva

[k8s-ci-robot]

@Cynerva: GitHub didn't allow me to assign the following users: cynerva.

Note that only kubernetes members can be assigned.

In response to this:

/assign @Cynerva

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Cynerva]

/lgtm

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Cynerva, chuckbutler, ktsakalozos, marcoceppi

Associated issue requirement bypassed by: marcoceppi

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• cluster/juju/OWNERS [Cynerva,chuckbutler,ktsakalozos,marcoceppi]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[Cynerva]

/retest

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 47850, 47835, 46197, 47250, 48284)