kubernetes 禁止消息可能包含RBAC信息,

gpnt7bae  于 4个月前  发布在  Kubernetes
关注(0)|答案(8)|浏览(66)

发生了什么?
Kubernetes API服务器在禁止访问错误消息中可能包含额外的RBAC信息。经过身份验证的用户可能会意外地获得关于可能的Kubernetes RBAC配置问题的信息。

你期望会发生什么?
错误消息不包含RBAC信息。

我们如何尽可能精确地重现它?

测试1

kubectl auth can-i create pods -n kube-system --as=system:serviceaccount:default:default
kubectl auth can-i create pods -n kube-system --as=system:anonymous
curl -k https://KUBERNETES_API_SERVER_HOST:KUBERNETES_API_SERVER_PORT/foo
kubectl apply -f - <<EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: test
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated
EOF
kubectl auth can-i create pods -n kube-system --as=system:serviceaccount:default:default
kubectl auth can-i create pods -n kube-system --as=system:anonymous
curl -k https://KUBERNETES_API_SERVER_HOST:KUBERNETES_API_SERVER_PORT/foo

测试1的示例结果:

vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:serviceaccount:default:default
no
vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:anonymous
Error from server (Forbidden): selfsubjectaccessreviews.authorization.k8s.io is forbidden: User "system:anonymous" cannot create resource "selfsubjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope
vagrant@verify-cluster:~$ curl -k https://c105.containers.test.cloud.ibm.com:31573/foo
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/foo\"",
  "reason": "Forbidden",
  "details": {},
  "code": 403
}vagrant@verify-cluster:~$ kubectl apply -f - <<EOF
> kind: ClusterRoleBinding
> apiVersion: rbac.authorization.k8s.io/v1
> metadata:
>   name: test
> roleRef:
>   apiGroup: rbac.authorization.k8s.io
>   kind: ClusterRole
>   name: test
> subjects:
> - apiGroup: rbac.authorization.k8s.io
>   kind: Group
>   name: system:unauthenticated
> EOF
clusterrolebinding.rbac.authorization.k8s.io/test created
vagrant@verify-cluster:~$ 
vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:serviceaccount:default:default
no
vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:anonymous
Error from server (Forbidden): selfsubjectaccessreviews.authorization.k8s.io is forbidden: User "system:anonymous" cannot create resource "selfsubjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "test" not found
vagrant@verify-cluster:~$ curl -k https://c105.containers.test.cloud.ibm.com:31573/foo
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/foo\": RBAC: clusterrole.rbac.authorization.k8s.io \"test\" not found",
  "reason": "Forbidden",
  "details": {},
  "code": 403
}vagrant@verify-cluster:~$

带有结果的测试2: Kubernetes API服务器已更新为 --anonymous-auth=false

vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:serviceaccount:default:default
no
vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:anonymous
Error from server (Forbidden): selfsubjectaccessreviews.authorization.k8s.io is forbidden: User "system:anonymous" cannot create resource "selfsubjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope
vagrant@verify-cluster:~$ curl -k https://c105.containers.test.cloud.ibm.com:31573/foo
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}vagrant@verify-cluster:~$ 
vagrant@verify-cluster:~$ 
vagrant@verify-cluster:~$ 
vagrant@verify-cluster:~$ kubectl apply -f - <<EOF
> kind: ClusterRoleBinding
> apiVersion: rbac.authorization.k8s.io/v1
> metadata:
>   name: test
> roleRef:
>   apiGroup: rbac.authorization.k8s.io
>   kind: ClusterRole
>   name: test
> subjects:
> - apiGroup: rbac.authorization.k8s.io
>   kind: Group
>   name: system:serviceaccounts
> - apiGroup: rbac.authorization.k8s.io
>   kind: Group
>   name: system:unauthenticated
> EOF
clusterrolebinding.rbac.authorization.k8s.io/test created
vagrant@verify-cluster:~$ 
vagrant@verify-cluster:~$ 
vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:serviceaccount:default:default
no - RBAC: clusterrole.rbac.authorization.k8s.io "test" not found
vagrant@verify-cluster:~$ kubectl auth can-i create pods -n kube-system --as=system:anonymous
Error from server (Forbidden): selfsubjectaccessreviews.authorization.k8s.io is forbidden: User "system:anonymous" cannot create resource "selfsubjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "test" not found
vagrant@verify-cluster:~$ curl -k https://c105.containers.test.cloud.ibm.com:31573/foo
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}vagrant@verify-cluster:~$

我们需要了解其他任何信息吗?
这个问题最初是在 https://hackerone.com 上提交的,但已被关闭。有人告诉我在这里打开一个问题。

Kubernetes版本
测试了Kubernetes版本1.26.15和1.30.0-rc.1,但其他版本可能也受到影响。测试是在使用IBM Cloud Kubernetes Service部署的Kubernetes集群上进行的。

云提供商

操作系统版本

安装工具
IBM Cloud Kubernetes Service

容器运行时(CRI)和版本(如适用)

相关插件(CNI,CSI等)和版本(如适用)

jq6vz3qz

jq6vz3qz1#

这个问题目前正在等待分类。
如果SIG或子项目确定这是一个相关的问题,他们将通过应用triage/accepted标签并提供进一步的指导来接受它。
组织成员可以通过在评论中写入/triage accepted来添加triage/accepted标签。
有关使用PR评论与我互动的说明,请查看here。如果您对我的行为有任何问题或建议,请针对kubernetes/test-infra仓库提出一个问题。

zengzsys

zengzsys4#

作为缓解措施:不要错误配置您的Kubernetes集群;具体来说,不要将未经身份验证的用户绑定到缺失的ClusterRole。

4uqofj5v

4uqofj5v6#

我会将此问题保持开放一段时间以获取更多社区反馈,但我不认为我们会对此做出任何更改。

irlmq6kh

irlmq6kh7#

我的一般关注是,可能会有额外的错误信息泄露,这些信息可能更有价值。我同意这个特定的例子并不是很有影响力。

p4rjhz4m

p4rjhz4m8#

我的一般担忧是可能会泄露出更多的错误信息,这些信息可能更有价值。我同意这个特定的示例并不是很有影响力。
任何错误都来自于传递给此方法的 visitor:
kubernetes/pkg/registry/rbac/validation/rule.go
第 179 行到第 237 行 in f3a7aa7
| | func (rDefaultRuleResolver) VisitRulesFor(user user.Info, namespacestring, visitorfunc(source fmt.Stringer, rulerbacv1.PolicyRule, errerror) bool) { |
| | ifclusterRoleBindings, err:=r.clusterRoleBindingLister.ListClusterRoleBindings(); err!=nil { |
| | if!visitor(nil, nil, err) { |
| | return |
| | } |
| | } else { |
| | sourceDescriber:=&clusterRoleBindingDescriber{} |
| | for_, clusterRoleBinding:=rangeclusterRoleBindings { |
| | subjectIndex, applies:=appliesTo(user, clusterRoleBinding.Subjects, "") |
| | if!applies { |
| | continue |
| | } |
| | rules, err:=r.GetRoleReferenceRules(clusterRoleBinding.RoleRef, "") |
| | iferr!=nil { |
| | if!visitor(nil, nil, err) { |
| | return |
| | } |
| | continue |
| | } |
| | sourceDescriber.binding=clusterRoleBinding |
| | sourceDescriber.subject=&clusterRoleBinding.Subjects[subjectIndex] |
| | fori:=rangerules { |
| | if!visitor(sourceDescriber, &rules[i], nil) { |
| | return |
| | } |
| | } |
| | } |
| | } |
| | |
| | iflen(namespace) >0 { |
| | ifroleBindings, err:=r.roleBindingLister.ListRoleBindings(namespace); err!=nil { |
| | if!visitor(nil, nil, err) { |
| | return |
| | } |
| | } else { |
| | sourceDescriber:=&roleBindingDescriber{} |
| | for_, roleBinding:=rangeroleBindings { |
| | subjectIndex, applies:=appliesTo(user, roleBinding.Subjects, namespace) |
| | if!applies { |
| | continue |
| | } |
| | rules, err:=r.GetRoleReferenceRules(roleBinding.RoleRef, namespace) |
| | iferr!=nil { |
| | if!visitor(nil, nil, err) { |
| | return |
| // 这里省略了部分代码 ...
它们都归结为 "无法获取/列出四种 RBAC资源中的一个"。

相关问题