发生了什么?
Kubernetes API服务器在禁止访问错误消息中可能包含额外的RBAC信息。经过身份验证的用户可能会意外地获得关于可能的Kubernetes RBAC配置问题的信息。
你期望会发生什么?
错误消息不包含RBAC信息。
我们如何尽可能精确地重现它?
测试1
kubectl auth can-i create pods -n kube-system --as=system:serviceaccount:default:default
kubectl auth can-i create pods -n kube-system --as=system:anonymous
curl -k https://KUBERNETES_API_SERVER_HOST:KUBERNETES_API_SERVER_PORT/foo
kubectl apply -f - <<EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: test
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:unauthenticated
EOF
kubectl auth can-i create pods -n kube-system --as=system:serviceaccount:default:default
kubectl auth can-i create pods -n kube-system --as=system:anonymous
curl -k https://KUBERNETES_API_SERVER_HOST:KUBERNETES_API_SERVER_PORT/foo
测试1的示例结果:
vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:serviceaccount:default:default
no
vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:anonymous
Error from server (Forbidden): selfsubjectaccessreviews.authorization.k8s.io is forbidden: User "system:anonymous" cannot create resource "selfsubjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope
vagrant@verify-cluster:~$ curl -k https://c105.containers.test.cloud.ibm.com:31573/foo
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/foo\"",
"reason": "Forbidden",
"details": {},
"code": 403
}vagrant@verify-cluster:~$ kubectl apply -f - <<EOF
> kind: ClusterRoleBinding
> apiVersion: rbac.authorization.k8s.io/v1
> metadata:
> name: test
> roleRef:
> apiGroup: rbac.authorization.k8s.io
> kind: ClusterRole
> name: test
> subjects:
> - apiGroup: rbac.authorization.k8s.io
> kind: Group
> name: system:unauthenticated
> EOF
clusterrolebinding.rbac.authorization.k8s.io/test created
vagrant@verify-cluster:~$
vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:serviceaccount:default:default
no
vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:anonymous
Error from server (Forbidden): selfsubjectaccessreviews.authorization.k8s.io is forbidden: User "system:anonymous" cannot create resource "selfsubjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "test" not found
vagrant@verify-cluster:~$ curl -k https://c105.containers.test.cloud.ibm.com:31573/foo
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/foo\": RBAC: clusterrole.rbac.authorization.k8s.io \"test\" not found",
"reason": "Forbidden",
"details": {},
"code": 403
}vagrant@verify-cluster:~$
带有结果的测试2: Kubernetes API服务器已更新为 --anonymous-auth=false
。
vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:serviceaccount:default:default
no
vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:anonymous
Error from server (Forbidden): selfsubjectaccessreviews.authorization.k8s.io is forbidden: User "system:anonymous" cannot create resource "selfsubjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope
vagrant@verify-cluster:~$ curl -k https://c105.containers.test.cloud.ibm.com:31573/foo
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}vagrant@verify-cluster:~$
vagrant@verify-cluster:~$
vagrant@verify-cluster:~$
vagrant@verify-cluster:~$ kubectl apply -f - <<EOF
> kind: ClusterRoleBinding
> apiVersion: rbac.authorization.k8s.io/v1
> metadata:
> name: test
> roleRef:
> apiGroup: rbac.authorization.k8s.io
> kind: ClusterRole
> name: test
> subjects:
> - apiGroup: rbac.authorization.k8s.io
> kind: Group
> name: system:serviceaccounts
> - apiGroup: rbac.authorization.k8s.io
> kind: Group
> name: system:unauthenticated
> EOF
clusterrolebinding.rbac.authorization.k8s.io/test created
vagrant@verify-cluster:~$
vagrant@verify-cluster:~$
vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:serviceaccount:default:default
no - RBAC: clusterrole.rbac.authorization.k8s.io "test" not found
vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:anonymous
Error from server (Forbidden): selfsubjectaccessreviews.authorization.k8s.io is forbidden: User "system:anonymous" cannot create resource "selfsubjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "test" not found
vagrant@verify-cluster:~$ curl -k https://c105.containers.test.cloud.ibm.com:31573/foo
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}vagrant@verify-cluster:~$
我们需要了解其他任何信息吗?
这个问题最初是在 https://hackerone.com 上提交的,但已被关闭。有人告诉我在这里打开一个问题。
Kubernetes版本
测试了Kubernetes版本1.26.15和1.30.0-rc.1,但其他版本可能也受到影响。测试是在使用IBM Cloud Kubernetes Service部署的Kubernetes集群上进行的。
云提供商
无
操作系统版本
无
安装工具
IBM Cloud Kubernetes Service
容器运行时(CRI)和版本(如适用)
无
相关插件(CNI,CSI等)和版本(如适用)
8条答案
按热度按时间jq6vz3qz1#
这个问题目前正在等待分类。
如果SIG或子项目确定这是一个相关的问题,他们将通过应用
triage/accepted
标签并提供进一步的指导来接受它。组织成员可以通过在评论中写入
/triage accepted
来添加triage/accepted
标签。有关使用PR评论与我互动的说明,请查看here。如果您对我的行为有任何问题或建议,请针对kubernetes/test-infra仓库提出一个问题。
rfbsl7qr2#
/sig-auth
b4lqfgs43#
/sig auth
zengzsys4#
作为缓解措施:不要错误配置您的Kubernetes集群;具体来说,不要将未经身份验证的用户绑定到缺失的ClusterRole。
0s0u357o5#
从 slack thread 开始:
4uqofj5v6#
我会将此问题保持开放一段时间以获取更多社区反馈,但我不认为我们会对此做出任何更改。
irlmq6kh7#
我的一般关注是,可能会有额外的错误信息泄露,这些信息可能更有价值。我同意这个特定的例子并不是很有影响力。
p4rjhz4m8#
我的一般担忧是可能会泄露出更多的错误信息,这些信息可能更有价值。我同意这个特定的示例并不是很有影响力。
任何错误都来自于传递给此方法的
visitor
:kubernetes/pkg/registry/rbac/validation/rule.go
第 179 行到第 237 行 in f3a7aa7
| | func (rDefaultRuleResolver) VisitRulesFor(user user.Info, namespacestring, visitorfunc(source fmt.Stringer, rulerbacv1.PolicyRule, errerror) bool) { |
| | ifclusterRoleBindings, err:=r.clusterRoleBindingLister.ListClusterRoleBindings(); err!=nil { |
| | if!visitor(nil, nil, err) { |
| | return |
| | } |
| | } else { |
| | sourceDescriber:=&clusterRoleBindingDescriber{} |
| | for_, clusterRoleBinding:=rangeclusterRoleBindings { |
| | subjectIndex, applies:=appliesTo(user, clusterRoleBinding.Subjects, "") |
| | if!applies { |
| | continue |
| | } |
| | rules, err:=r.GetRoleReferenceRules(clusterRoleBinding.RoleRef, "") |
| | iferr!=nil { |
| | if!visitor(nil, nil, err) { |
| | return |
| | } |
| | continue |
| | } |
| | sourceDescriber.binding=clusterRoleBinding |
| | sourceDescriber.subject=&clusterRoleBinding.Subjects[subjectIndex] |
| | fori:=rangerules { |
| | if!visitor(sourceDescriber, &rules[i], nil) { |
| | return |
| | } |
| | } |
| | } |
| | } |
| | |
| | iflen(namespace) >0 { |
| | ifroleBindings, err:=r.roleBindingLister.ListRoleBindings(namespace); err!=nil { |
| | if!visitor(nil, nil, err) { |
| | return |
| | } |
| | } else { |
| | sourceDescriber:=&roleBindingDescriber{} |
| | for_, roleBinding:=rangeroleBindings { |
| | subjectIndex, applies:=appliesTo(user, roleBinding.Subjects, namespace) |
| | if!applies { |
| | continue |
| | } |
| | rules, err:=r.GetRoleReferenceRules(roleBinding.RoleRef, namespace) |
| | iferr!=nil { |
| | if!visitor(nil, nil, err) { |
| | return |
| // 这里省略了部分代码 ...
它们都归结为 "无法获取/列出四种 RBAC资源中的一个"。