Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1996689: Tighten up RestrictedEndpointsAdmission #899

Merged
merged 2 commits into from
Sep 4, 2021
Merged

Bug 1996689: Tighten up RestrictedEndpointsAdmission #899

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f346309
UPSTREAM: <carry>: Make RestrictedEndpointsAdmission check NotReadyAd…
danwinship Aug 27, 2021
adabd2d
UPSTREAM: <carry>: Make RestrictedEndpointsAdmission restrict Endpoin…
danwinship Aug 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
146 changes: 123 additions & 23 deletions openshift-kube-apiserver/admission/network/restrictedendpoints/endpoint_admission.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/klog/v2"
kapi "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/discovery"

"github.com/openshift/library-go/pkg/config/helpers"
"k8s.io/kubernetes/openshift-kube-apiserver/admission/network/apis/restrictedendpoints"
Expand Down Expand Up @@ -110,37 +111,56 @@ var (
}
)

func (r *restrictedEndpointsAdmission) findRestrictedIP(ep *kapi.Endpoints, restricted []*net.IPNet) error {
func checkRestrictedIP(ipString string, restricted []*net.IPNet) error {
ip := net.ParseIP(ipString)
if ip == nil {
return nil
}
for _, net := range restricted {
if net.Contains(ip) {
return fmt.Errorf("endpoint address %s is not allowed", ipString)
}
}
return nil
}

func checkRestrictedPort(protocol kapi.Protocol, port int32, restricted []kapi.EndpointPort) error {
for _, rport := range restricted {
if protocol == rport.Protocol && port == rport.Port {
return fmt.Errorf("endpoint port %s:%d is not allowed", protocol, port)
}
}
return nil
}

func (r *restrictedEndpointsAdmission) endpointsFindRestrictedIP(ep *kapi.Endpoints, restricted []*net.IPNet) error {
for _, subset := range ep.Subsets {
for _, addr := range subset.Addresses {
ip := net.ParseIP(addr.IP)
if ip == nil {
continue
if err := checkRestrictedIP(addr.IP, restricted); err != nil {
return err
}
for _, net := range restricted {
if net.Contains(ip) {
return fmt.Errorf("endpoint address %s is not allowed", addr.IP)
}
}
for _, addr := range subset.NotReadyAddresses {
if err := checkRestrictedIP(addr.IP, restricted); err != nil {
return err
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this makes the admission tighter than it was in <4.9. Why is that correct? IMO it breaks the API.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danwinship if there is no specific reason to have this change in the same PR, please split it up, so we can get the 4.9 blocker out of the way quickly.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this makes the admission tighter than it was in <4.9. Why is that correct? IMO it breaks the API.

Because it was a security hole before. We need to block restricted changes to NotReadyEndpoints for the same reason that upstream blocked all changes to Endpoints.

(AFAIK in all existing OCP releases (including 4.9) it is only a potential security hole, with no actual way to exploit it in the shipped product. But at any point, someone might add some component that makes use of NotReadyAddresses, at which point it would be possible to subvert that component in CVE-2021-25740-like ways.)

There is really no plausible use case for someone manually adding IPs to NotReadyEndpoints anyway.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary from Slack why this is fine (for ourselves in 6 months):

  • the admission only checks when the subsets are changed. I.e. another actor can always annotate or do other non-subset changes. These updates won't
  • the change in behaviour (added validation of NotReadyAddresses) is ok because we are fixing a CVE here.

The kube-controller-manager controllers have extended permission anyway and this admission check is skipped.

}
}
}
return nil
}

func (r *restrictedEndpointsAdmission) findRestrictedPort(ep *kapi.Endpoints, restricted []kapi.EndpointPort) error {
func (r *restrictedEndpointsAdmission) endpointsFindRestrictedPort(ep *kapi.Endpoints, restricted []kapi.EndpointPort) error {
for _, subset := range ep.Subsets {
for _, port := range subset.Ports {
for _, restricted := range restricted {
if port.Protocol == restricted.Protocol && port.Port == restricted.Port {
return fmt.Errorf("endpoint port %s:%d is not allowed", string(port.Protocol), port.Port)
}
if err := checkRestrictedPort(port.Protocol, port.Port, restricted); err != nil {
return err
}
}
}
return nil
}

func (r *restrictedEndpointsAdmission) checkAccess(ctx context.Context, attr admission.Attributes) (bool, error) {
func (r *restrictedEndpointsAdmission) endpointsCheckAccess(ctx context.Context, attr admission.Attributes) (bool, error) {
authzAttr := authorizer.AttributesRecord{
User: attr.GetUserInfo(),
Verb: "create",
Expand All @@ -155,11 +175,7 @@ func (r *restrictedEndpointsAdmission) checkAccess(ctx context.Context, attr adm
return authorized == authorizer.DecisionAllow, err
}

// Admit determines if the endpoints object should be admitted
func (r *restrictedEndpointsAdmission) Validate(ctx context.Context, a admission.Attributes, _ admission.ObjectInterfaces) error {
if a.GetResource().GroupResource() != kapi.Resource("endpoints") {
return nil
}
func (r *restrictedEndpointsAdmission) endpointsValidate(ctx context.Context, a admission.Attributes) error {
ep, ok := a.GetObject().(*kapi.Endpoints)
if !ok {
return nil
Expand All @@ -169,18 +185,18 @@ func (r *restrictedEndpointsAdmission) Validate(ctx context.Context, a admission
return nil
}

restrictedErr := r.findRestrictedIP(ep, r.restrictedNetworks)
restrictedErr := r.endpointsFindRestrictedIP(ep, r.restrictedNetworks)
if restrictedErr == nil {
restrictedErr = r.findRestrictedIP(ep, defaultRestrictedNetworks)
restrictedErr = r.endpointsFindRestrictedIP(ep, defaultRestrictedNetworks)
}
if restrictedErr == nil {
restrictedErr = r.findRestrictedPort(ep, defaultRestrictedPorts)
restrictedErr = r.endpointsFindRestrictedPort(ep, defaultRestrictedPorts)
}
if restrictedErr == nil {
return nil
}

allow, err := r.checkAccess(ctx, a)
allow, err := r.endpointsCheckAccess(ctx, a)
if err != nil {
return err
}
Expand All @@ -189,3 +205,87 @@ func (r *restrictedEndpointsAdmission) Validate(ctx context.Context, a admission
}
return nil
}

func (r *restrictedEndpointsAdmission) sliceFindRestrictedIP(slice *discovery.EndpointSlice, restricted []*net.IPNet) error {
for _, endpoint := range slice.Endpoints {
for _, addr := range endpoint.Addresses {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you want to check the EndpointConditions to see if the endpoint is Ready?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why? If it has restricted IPs, then it's restricted, regardless of conditions

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

because the endpoints code only checks the ready ones?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it was curiosity only, the endpoints code only parses for _, addr := range subset.Addresses , it doesn't parse subsets.NotReadyAddresses

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm... that seems more like a bug in the Endpoints version 😯
(it doesn't currently matter since we don't point any services to the NotReadyAddresses, but someone might use them for something in the future.)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, as I've said, it was mostly curiosity,

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as commented elsewhere, adding NotReadyAddresses validation is a technically a breaking change. If we want that, then we need a good reason, e.g. a CVE.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(it doesn't currently matter since we don't point any services to the NotReadyAddresses, but someone might use them for something in the future.)

I've talked with Stefan and we shouldn't add it because if someone have created it before, after upgrade the endpoint will become invalid and as you say it seems only cosmetical, sorry for the noise #899 (comment)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

commented in the other thread; it's part of CVE-2021-25740; upstream solved that CVE by blocking all Endpoints modifications, we are blocking it with a more surgical blocking. But previously we had missed part of it

if err := checkRestrictedIP(addr, restricted); err != nil {
return err
}
}
}
return nil
}

func (r *restrictedEndpointsAdmission) sliceFindRestrictedPort(slice *discovery.EndpointSlice, restricted []kapi.EndpointPort) error {
for _, port := range slice.Ports {
if port.Port == nil {
continue
}
sliceProtocol := kapi.ProtocolTCP
if port.Protocol != nil {
sliceProtocol = *port.Protocol
}
if err := checkRestrictedPort(sliceProtocol, *port.Port, restricted); err != nil {
return err
}
}
return nil
}

func (r *restrictedEndpointsAdmission) sliceCheckAccess(ctx context.Context, attr admission.Attributes) (bool, error) {
authzAttr := authorizer.AttributesRecord{
User: attr.GetUserInfo(),
Verb: "create",
Namespace: attr.GetNamespace(),
Resource: "endpointslices",
Subresource: "restricted",
APIGroup: discovery.GroupName,
Name: attr.GetName(),
ResourceRequest: true,
}
authorized, _, err := r.authorizer.Authorize(ctx, authzAttr)
return authorized == authorizer.DecisionAllow, err
}

func (r *restrictedEndpointsAdmission) sliceValidate(ctx context.Context, a admission.Attributes) error {
slice, ok := a.GetObject().(*discovery.EndpointSlice)
if !ok {
return nil
}
old, ok := a.GetOldObject().(*discovery.EndpointSlice)
if ok && reflect.DeepEqual(slice.Endpoints, old.Endpoints) && reflect.DeepEqual(slice.Ports, old.Ports) {
return nil
}

restrictedErr := r.sliceFindRestrictedIP(slice, r.restrictedNetworks)
if restrictedErr == nil {
restrictedErr = r.sliceFindRestrictedIP(slice, defaultRestrictedNetworks)
}
if restrictedErr == nil {
restrictedErr = r.sliceFindRestrictedPort(slice, defaultRestrictedPorts)
}
if restrictedErr == nil {
return nil
}

allow, err := r.sliceCheckAccess(ctx, a)
if err != nil {
return err
}
if !allow {
return admission.NewForbidden(a, restrictedErr)
}
return nil
}

// Validate determines if the endpoints or endpointslice object should be admitted
func (r *restrictedEndpointsAdmission) Validate(ctx context.Context, a admission.Attributes, _ admission.ObjectInterfaces) error {
if a.GetResource().GroupResource() == kapi.Resource("endpoints") {
return r.endpointsValidate(ctx, a)
} else if a.GetResource().GroupResource() == discovery.Resource("endpointslices") {
return r.sliceValidate(ctx, a)
} else {
return nil
}
}
2 changes: 2 additions & 0 deletions plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
// resource that is owned by the service and sets blockOwnerDeletion=true in its ownerRef.
rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("services/finalizers").RuleOrDie(),
rbacv1helpers.NewRule("get", "list", "create", "update", "delete").Groups(discoveryGroup).Resources("endpointslices").RuleOrDie(),
rbacv1helpers.NewRule("create").Groups(discoveryGroup).Resources("endpointslices/restricted").RuleOrDie(),
eventsRule(),
},
})
Expand All @@ -173,6 +174,7 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
// see https://github.com/openshift/kubernetes/blob/8691466059314c3f7d6dcffcbb76d14596ca716c/pkg/controller/endpointslicemirroring/utils.go#L87-L88
rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("endpoints/finalizers").RuleOrDie(),
rbacv1helpers.NewRule("get", "list", "create", "update", "delete").Groups(discoveryGroup).Resources("endpointslices").RuleOrDie(),
rbacv1helpers.NewRule("create").Groups(discoveryGroup).Resources("endpointslices/restricted").RuleOrDie(),
eventsRule(),
},
})
Expand Down
12 changes: 12 additions & 0 deletions plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -510,6 +510,12 @@ items:
- get
- list
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices/restricted
verbs:
- create
- apiGroups:
- ""
- events.k8s.io
Expand Down Expand Up @@ -560,6 +566,12 @@ items:
- get
- list
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices/restricted
verbs:
- create
- apiGroups:
- ""
- events.k8s.io
Expand Down