github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #38709 from luxas/fix_auth_kubeadm 

Automatic merge from submit-queue

Set --anonymous-auth to false on v1.5 clusters to preserve the locked-down v1.4 behaviour

From discussions with sig-auth-people.

Without this patch, anyone can do basically anything, because the apiserver in v1.5 mode is unprotected due to that kubeadm doesn't have any ABAC/RBAC-authorizers.

@mikedanese @justinsb @deads2k @kubernetes/sig-cluster-lifecycle
pull/6/head
Kubernetes Submit Queue 2016-12-13 08:45:38 -08:00 committed by GitHub
parent 765700da3b 96850dc600
commit a092d8e0f9
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
cmd/kubeadm/app/master/manifests.go
View File

@ -53,7 +53,10 @@ const (
var (
// Minimum version of kube-apiserver that supports --kubelet-preferred-address-types
preferredAddressMinimumVersion = semver.MustParse("1.5.0-beta.2")
preferredAddressAPIServerMinVersion = semver.MustParse("1.5.0")
// Minimum version of kube-apiserver that has to have --anonymous-auth=false set
anonAuthDisableAPIServerMinVersion = semver.MustParse("1.5.0")
)
// WriteStaticPodManifests builds manifest objects based on user provided configuration and then dumps it to disk
@ -303,9 +306,16 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration) []string {
// work on bare-metal where hostnames aren't usually resolvable
// Omit the "v" in the beginning, otherwise semver will fail
k8sVersion, err := semver.Parse(cfg.KubernetesVersion[1:])
if err == nil && k8sVersion.GTE(preferredAddressMinimumVersion) {
// If the k8s version is greater than this version, it supports telling it which way it should contact kubelets
if err == nil && k8sVersion.GTE(preferredAddressAPIServerMinVersion) {
command = append(command, "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname")
}
// This is a critical "bugfix". Any version above this is vulnarable unless a RBAC/ABAC-authorizer is provided (which kubeadm doesn't for the time being)
if err == nil && k8sVersion.GTE(anonAuthDisableAPIServerMinVersion) {
command = append(command, "--anonymous-auth=false")
}
}
// Check if the user decided to use an external etcd cluster

1
cmd/kubeadm/app/master/manifests_test.go
View File

@ -447,6 +447,7 @@ func TestGetAPIServerCommand(t *testing.T) {
"--allow-privileged",
"--advertise-address=foo",
"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
"--anonymous-auth=false",
"--etcd-servers=http://127.0.0.1:2379",
},
},