Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubernetes Security Assesment: evaluate kubeadm reset problems #1715

Closed
neolit123 opened this issue Aug 7, 2019 · 6 comments
Closed

Kubernetes Security Assesment: evaluate kubeadm reset problems #1715

neolit123 opened this issue Aug 7, 2019 · 6 comments
Assignees
@Klaven
Labels
area/security area/UX kind/bug Categorizes issue or PR as related to a bug. kind/documentation Categorizes issue or PR as related to documentation. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Milestone
v1.16

Comments

@neolit123
Copy link
Member

https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Final%20Report.pdf

search for:
Kubeadm performs potentially-dangerous reset operations
Finding ID: TOB-K8S-014

the TL;DR is that reset according to the finding performs a set of Unix-ism unsafe operations.

there are also comments about errors not being returned, but i personally slightly disagree with that because kubeadm reset is best-effort and should not error out on every small error it finds.
@neolit123 neolit123 added kind/bug Categorizes issue or PR as related to a bug. area/security priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. labels Aug 7, 2019
@neolit123 neolit123 added this to the v1.16 milestone Aug 7, 2019
@neolit123 neolit123 mentioned this issue Aug 8, 2019
Closed
@neolit123
Copy link
Member Author

neolit123 commented Aug 13, 2019
edited
Loading

i think we should remove the awk... and replace it with:

// unmountKubeletDirectory unmounts all paths that contain KubeletRunDirectory
func unmountKubeletDirectory() error {
	raw, err := ioutil.ReadFile("/proc/mounts")
	if err != nil {
		return err // fatal error
	}
	mounts := strings.Split(string(raw), "\n")
	for _, mount := range mounts {
		m := strings.Split(mount, " ")
		if len(m) < 2 {
			continue
		}
		if !strings.HasPrefix(m[1], constants.KubeletRunDirectory) {
			continue
		}
		if err := syscall.Unmount(m[1], syscall.MNT_FORCE); err != nil {
			// klog: print warning
		}
	}
	return nil
}

which only happens in a _linux.go file and the _windows.go file is a NOP.

if k8s.io/kubernetes/pkg/util/mount can be used for this and if it's moving to a new repo (i think it is) we can use it, but i rather not block on repos moving for 20 lines of code.
so we can go ahead and make this change and have a potential TODO for the repo.

there are also comments about errors not being returned, but i personally slightly disagree with that because kubeadm reset is best-effort and should not error out on every small error it finds.

i still believe this is true and reset is best effort, unless something odd is going on e.g. missing /proc/mounts.

@neolit123
Copy link
Member Author

document in both the CLI of reset and the k8s.io docs that reset is best effort:
https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-reset/

@neolit123 neolit123 added kind/documentation Categorizes issue or PR as related to documentation. area/UX labels Aug 14, 2019
@stealthybox
Copy link
Member

i think we should remove the awk... and replace it

+1
It's possible to write a more secure shell command using a for-loop instead of xargs.
The go solution is much better.

This was referenced Aug 16, 2019
Merged
Merged
Merged
@0xmichalis
Copy link
Contributor

there are also comments about errors not being returned, but i personally slightly disagree with that because kubeadm reset is best-effort and should not error out on every small error it finds.

At least make sure these errors are logged?

@neolit123
Copy link
Member Author

At least make sure these errors are logged?

a quick check does not reveal any errors that are not reported as warnings.

@neolit123
Copy link
Member Author

this is fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Klaven Klaven

Labels
area/security area/UX kind/bug Categorizes issue or PR as related to a bug. kind/documentation Categorizes issue or PR as related to documentation. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Milestone
v1.16
Development

No branches or pull requests
4 participants
@neolit123 @stealthybox @0xmichalis @Klaven