Add e2e regression tests for the kubelet being secure

[dixudx]

What this PR does / why we need it:
This PR does,

1. The kubelet cAdvisor port (4194) can't be reached, neither via the API server proxy nor directly on the public IP address
2. The kubelet read-only port (10255) can't be reached, neither via the API server proxy nor directly on the public IP address
3. The kubelet can delegate ServiceAccount tokens to the API server
4. The kubelet's main port (10250) has both authentication (should fail with no credentials) and authorization (should fail with insufficient permissions) set-up

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes kubernetes/kubeadm#838

Special notes for your reviewer:
/cc luxas tallclair
Release note:

Add e2e regression tests for the kubelet being secure

[dixudx]

/cc @kubernetes/sig-node-proposals @kubernetes/sig-auth-proposals

[luxas]

This looks great overall.
Thanks for this valuable contribution @dixudx 👍!
I left a couple of initial comments.

I'd love a review from @kubernetes/sig-auth-pr-reviews, and a comment from @kubernetes/sig-architecture-pr-reviews regarding eventually graduating It("Should make the kubelet's main port 10250 enforce authentication for client requests") a Conformance test as @tallclair commented in kubernetes/kubeadm#838 (comment)

[luxas]

Add a comment why you do this. (I think it's to make sure the ServiceAccount admission controller is enabled etc., so secret generation on SA creation works, right?)

[dixudx]

Correct. Add a comment is better.

[luxas]

Don't add conformance here please. You can add a comment though to maybe do it in the future though.
cc @tallclair

[luxas]

suggest: should not be able to proxy to the readonly kubelet port 10255 using proxy subresource to be consistent with what you have below

[luxas]

Thanks a lot @dixudx!!
I'm fine for the moment, the high level functionality is there, deferring the rest of the review to SIG Auth reviewers.
I'm gonna try running these locally in a minute to make sure everything actually works 😄

/approve
/lgtm

[liggitt]

while I like the idea of exercising the described tests, these e2e tests don't actually do that. the only reason CI is green with them added is because they're behind feature tags that don't actually run them (or the API server happens to return the same response we were hoping to see from the kubelet)

[tallclair]

I recommend proxying the tests through shell commands run in a container and pointed at the kubelets cluster-internal IP address. See the apparmor test for an example of how you might do this:
https://github.com/kubernetes/kubernetes/blob/master/test/e2e/common/apparmor.go#L60

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[tallclair]

Yeah, this isn't a conformance test, so I don't think it needs to be tied to a version. We can merge it when it's ready.

[dixudx]

@jberkus @tallclair Addressed the comments. PTAL. Thanks.

[tallclair]

This comment only applies to the test runner. Since you're execing both the tests through a pod, you can test the internal IPs here.

[tallclair]

nit: s/fail/reject requests/

[tallclair]

I'd prefer to check for 401 OR 403, that way you're not depending on a specific implementation as much.

[tallclair]

curl doesn't know how to interpret backticks - you need to run this command in a shell. I.e.:

[]string{"sh", "-c", "curl -sI --insecure --header "Authorization: Bearer `cat /var/run/secrets/kubernetes.io/serviceaccount/token`" + url}

[tallclair]

... or 401

[tallclair]

Are you sure the path should include proxy here?

[tallclair]

There seems to be some confusion about what internal IPs and external IPs are.

External IPs are available to the entire internet.
Internal IPs are from a private address space, meaning they are only meaningful within the private network. In our case, that means running in the cluster.

The E2E test runner runs outside the cluster being tested, which means that it can only see the external IP addresses (actually, it can see the internal IP addresses, but they are resolved within the test runner's private network, so they probably resolve to different devices, if at all). When you run a pod, it runs in the cluster, meaning the pod can see the internal addresses, this is why an tests that look at the internal IPs should be run through a pod.

Hopefully that clears it up?

[tallclair]

No reason to use this method if you're not looking for the string. How about just:

result := framework.RunHostCmdOrDie(ns, pod.Name, fmt.Sprintf("curl -sIk -o /dev/null -w '%{http_code}' https://%s:%v/metrics", nodeIP, ports.KubeletPort))
Expect(result).To(Or(Equal("401"), Equal("403")), "the kubelet's main port 10250 should reject requests with no credentials")

[tallclair]

Same as above comment.

[tallclair]

Expect(result).To(And(BeNumerically(">=", 200), BeNumerically("<", 300)), ...)

[tallclair]

I don't particularly care for the gomega DSL, so feel free to do these checks explicitly, but semantically this is the condition you should check for.

[tallclair]

You might be able to simplify this to just: Expect(result).To(Equal("200"), ...)

[dixudx]

Here we're using a new SA token when sending requests to the kubelet. The expected result should be 403, and authentication is okay.

Expect(result).To(Equal("200"), ...)

@tallclair I don't quite understand where 200 comes.

[tallclair]

This comment still doesn't make sense to me. Why did you drop the external IPs?

[dixudx]

So we add external IPs back again? I was testing both internal IPs and external IPs before.

[tallclair]

The 0th node is usually the master, which might be configured differently. Still a good idea to check it though, but maybe pick a few (or all of them)?

[dixudx]

Actually all the nodes here are schedulable and ready. Usually the master node is tainted, which will be filtered due to unschedulable.

So the 0th node is usually not the master. And 0th node is used widely in our e2e test scenarios.

kubernetes/test/e2e/node/mount_propagation.go

Lines 86 to 89 in ad9722c

	// Pick a node where all pods will run.
	nodes := framework.GetReadySchedulableNodesOrDie(f.ClientSet)
	Expect(len(nodes.Items)).NotTo(BeZero(), "No available nodes for scheduling")
	node := &nodes.Items[0]

[liggitt]

per #64140 (comment) this isn't tied to v1.11 or blocking the release

/milestone clear

[dixudx]

@luxas @tallclair Needs your lgtm. Thanks.

[tallclair]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dixudx, luxas, tallclair, timothysc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• test/OWNERS [timothysc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dixudx]

@tallclair @luxas Seems the bot does not want to lgtm.

[k8s-github-robot]

/test all

Tests are more than 96 hours old. Re-running tests.

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-ci-robot]

@dixudx: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-bazel-test	924df8a	link	/test pull-kubernetes-bazel-test

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 64140, 64898, 65022, 65037, 65027). If you want to cherry-pick this change to another branch, please follow the instructions here.