Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

/etc/rancher/k3s/k3s.yaml is world readable #389

Closed
mdempsky opened this issue Apr 24, 2019 · 9 comments

Comments

@mdempsky
Copy link

@mdempsky mdempsky commented Apr 24, 2019

Installing k3s via get.k3s.io creates a world readable /etc/rancher/k3s/k3s.yaml file, which appears to contain a plain text admin password.

@ibuildthecloud

This comment has been minimized.

Copy link
Member

@ibuildthecloud ibuildthecloud commented Apr 24, 2019

Yeah, we actually did this on purpose but I can see how people wouldn't like it. You can change the file mode of the kubeconfig as a parameter in k3s server. I think the best approach would probably be to create a k3s group and prompt the user to run usermod like docker installation does. The way it's done now was to avoid issue where people install and then can't access kubernetes because they are root. In that situation kubectl gives a useless error saying it can't connect to port 8080.

@mdempsky

This comment has been minimized.

Copy link
Author

@mdempsky mdempsky commented Apr 24, 2019

I think the best approach would probably be to create a k3s group and prompt the user to run usermod like docker installation does.

That sounds reasonable to me.

The way it's done now was to avoid issue where people install and then can't access kubernetes because they are root.

Did you mean "unless they are root"? (Just making sure I understand your explanation.)

@ibuildthecloud ibuildthecloud added this to the v0.6.0 milestone Apr 25, 2019
@ibuildthecloud

This comment has been minimized.

Copy link
Member

@ibuildthecloud ibuildthecloud commented Apr 25, 2019

I think what I'd like to do here is make the file not world readable and then change the kubectl wrapper code in k3s to try to read /etc/rancher/k3s/k3s.yaml and if it's not accesible issue a warning. kubectl might still fail but it will at least help the user to know that maybe they need to run as root. In the warning message we can indicate the server can be launch with --write-kubeconfig-mode to change the permission.

@tfiduccia

This comment has been minimized.

Copy link

@tfiduccia tfiduccia commented May 30, 2019

Version - v0.6.0-rc3
Verified fixed

@tfiduccia tfiduccia closed this May 30, 2019
@milosonator

This comment has been minimized.

Copy link

@milosonator milosonator commented Jun 19, 2019

For most installations now all kubectl commands have to be executed with root access or increase the privileges of /etc/rancher/k3s/k3s.yaml, this was really the intended behavior? I guess most users will want to do that.

Also, there seems to be no documentation around --write-kubeconfig-mode, so I don't know how to use it. How do I use that flag?

@rcarmo

This comment has been minimized.

Copy link

@rcarmo rcarmo commented Jun 19, 2019

Same here. I was caught unaware and updated one of my clusters, and --write-kubeconfig-mode is not documented. Should I specify it during the initial install, edit the systemd unit... what?

@mattiaperi

This comment has been minimized.

Copy link

@mattiaperi mattiaperi commented Jun 19, 2019

Hi all, I found how to use the new flag:

  • using --write-kubeconfig-mode 644
$ curl -sfL https://get.k3s.io | sh -s - --write-kubeconfig-mode 644
  • using the variable K3S_KUBECONFIG_MODE
$ curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" sh -s -
@blazespinnaker

This comment has been minimized.

Copy link

@blazespinnaker blazespinnaker commented Aug 5, 2019

I think this broke the quick start on https://k3s.io/

curl -sfL https://get.k3s.io | sh -
[INFO] Finding latest release
[INFO] Using v0.7.0 as release
[INFO] Downloading hash https://github.com/rancher/k3s/releases/download/v0.7.0/sha256sum-amd64.txt
[INFO] Downloading binary https://github.com/rancher/k3s/releases/download/v0.7.0/k3s
[INFO] Verifying binary download
[INFO] Installing k3s to /usr/local/bin/k3s
[INFO] Creating /usr/local/bin/kubectl symlink to k3s
[INFO] Creating /usr/local/bin/crictl symlink to k3s
[INFO] Creating /usr/local/bin/ctr symlink to k3s
[INFO] Creating killall script /usr/local/bin/k3s-killall.sh
[INFO] Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO] env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO] systemd: Creating service file /etc/systemd/system/k3s.service
[INFO] systemd: Enabling k3s unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
[INFO] systemd: Starting k3s
tim@tim-GE72MVR-7RG:$ k3s kubectl get node
WARN[2019-08-05T00:47:53.065227180-07:00] Unable to read /etc/rancher/k3s/k3s.yaml, please start server with --write-kubeconfig-mode to modify kube config permissions
error: Error loading config file "/etc/rancher/k3s/k3s.yaml": open /etc/rancher/k3s/k3s.yaml: permission denied
tim@tim-GE72MVR-7RG:
$ sudo k3s server &

@steven-tan

This comment has been minimized.

Copy link

@steven-tan steven-tan commented Oct 6, 2019

For others struggling with this still (when using the quick run install script on CentOS 7 like me):
curl -sfL https://get.k3s.io | sh -

The command as-is installs fine, but kubectl won't work without using sudo. However, default sudo setup in CentOS 7 does not let you use the default kubectl path. As noted by @mattiaperi above, you can use the --write-kubeconfig-mode 644 trick during install, but this then leaves the file w/the admin stuff world readable.

My solution was to install via default method, and just use visudo to edit the secure_path variable to include /usr/local/bin

Seems to be working fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
10 participants
You can’t perform that action at this time.