From 30c38a0179c57656ec367d22df9e6c0165a40844 Mon Sep 17 00:00:00 2001 From: Marko Vukovic <8951449+anon-software@users.noreply.github.com> Date: Thu, 22 Aug 2024 14:49:12 -0700 Subject: [PATCH 1/2] Security exposure related to the token The installation playbook saves the token into the systemd unit configuration file /etc/systemd/system/k3s.service. The problem is that according to K3s' documentation "the server token should be guarded carefully" (https://docs.k3s.io/cli/token), yet the configuration file is readable by anybody. A better solution is to save the token into its corresponding environment file /etc/systemd/system/k3s.service.env which is readable by the super user only. This is what the standard K3s' installation script (https://get.k3s.io) does. Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> --- roles/k3s_agent/tasks/main.yml | 9 +++++++++ roles/k3s_agent/templates/k3s-agent.service.j2 | 2 +- roles/k3s_server/tasks/main.yml | 16 ++++++++++++++++ .../templates/k3s-cluster-init.service.j2 | 2 +- roles/k3s_server/templates/k3s-ha.service.j2 | 2 +- roles/k3s_server/templates/k3s-single.service.j2 | 2 +- 6 files changed, 29 insertions(+), 4 deletions(-) diff --git a/roles/k3s_agent/tasks/main.yml b/roles/k3s_agent/tasks/main.yml index 9ff7a2869..66c943d3c 100644 --- a/roles/k3s_agent/tasks/main.yml +++ b/roles/k3s_agent/tasks/main.yml @@ -35,6 +35,15 @@ INSTALL_K3S_EXEC: "agent" changed_when: true + - name: Add the token and first server URL for joining the cluster to the environment + no_log: true # avoid logging the server token + ansible.builtin.lineinfile: + path: "{{ systemd_dir }}/k3s-agent.service.env" + line: "{{ item }}" + with_items: + - "K3S_TOKEN={{ token }}" + - "K3S_URL=https://{{ api_endpoint }}:{{ api_port }}" + - name: Copy K3s service file register: k3s_agent_service ansible.builtin.template: diff --git a/roles/k3s_agent/templates/k3s-agent.service.j2 b/roles/k3s_agent/templates/k3s-agent.service.j2 index adb39cf48..707cec8b2 100644 --- a/roles/k3s_agent/templates/k3s-agent.service.j2 +++ b/roles/k3s_agent/templates/k3s-agent.service.j2 @@ -26,4 +26,4 @@ RestartSec=5s ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service' ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe overlay -ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} --token {{ token }} {{ extra_agent_args }} +ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} {{ extra_agent_args }} diff --git a/roles/k3s_server/tasks/main.yml b/roles/k3s_server/tasks/main.yml index bad7f6899..f0cd2f6d0 100644 --- a/roles/k3s_server/tasks/main.yml +++ b/roles/k3s_server/tasks/main.yml @@ -86,6 +86,13 @@ line: "{{ item }}" with_items: "{{ extra_service_envs }}" + # Add the token to the environment. + - name: Add token as an environment variable + no_log: true # avoid logging the server token + ansible.builtin.lineinfile: + path: "{{ systemd_dir }}/k3s.service.env" + line: "K3S_TOKEN={{ token }}" + - name: Restart K3s service when: - ansible_facts.services['k3s.service'] is defined @@ -174,6 +181,15 @@ - (groups[server_group] | length) > 1 - inventory_hostname != groups[server_group][0] block: + - name: Add the token and first server URL for joining the cluster to the environment + no_log: true # avoid logging the server token + ansible.builtin.lineinfile: + path: "{{ systemd_dir }}/k3s.service.env" + line: "{{ item }}" + with_items: + - "K3S_TOKEN={{ token }}" + - "K3S_URL=https://{{ api_endpoint }}:{{ api_port }}" + - name: Copy K3s service file [HA] when: not use_external_database ansible.builtin.template: diff --git a/roles/k3s_server/templates/k3s-cluster-init.service.j2 b/roles/k3s_server/templates/k3s-cluster-init.service.j2 index 0b793058e..ff4306153 100644 --- a/roles/k3s_server/templates/k3s-cluster-init.service.j2 +++ b/roles/k3s_server/templates/k3s-cluster-init.service.j2 @@ -25,4 +25,4 @@ Restart=always RestartSec=5s ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe overlay -ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} --token {{ token }} {{ extra_server_args }} \ No newline at end of file +ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} {{ extra_server_args }} diff --git a/roles/k3s_server/templates/k3s-ha.service.j2 b/roles/k3s_server/templates/k3s-ha.service.j2 index bf61e62cb..60b284b83 100644 --- a/roles/k3s_server/templates/k3s-ha.service.j2 +++ b/roles/k3s_server/templates/k3s-ha.service.j2 @@ -25,4 +25,4 @@ Restart=always RestartSec=5s ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe overlay -ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} --token {{ token }} {{ extra_server_args }} \ No newline at end of file +ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args }} diff --git a/roles/k3s_server/templates/k3s-single.service.j2 b/roles/k3s_server/templates/k3s-single.service.j2 index 869093945..60b284b83 100644 --- a/roles/k3s_server/templates/k3s-single.service.j2 +++ b/roles/k3s_server/templates/k3s-single.service.j2 @@ -25,4 +25,4 @@ Restart=always RestartSec=5s ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe overlay -ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --token {{ token }} {{ extra_server_args }} \ No newline at end of file +ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args }} From 7230e32ebc7371eaeaac7f52c763444a7335f5ea Mon Sep 17 00:00:00 2001 From: Marko Vukovic <8951449+anon-software@users.noreply.github.com> Date: Tue, 27 Aug 2024 12:00:03 -0700 Subject: [PATCH 2/2] Restore the server URL into systemd configuration file There aren't any security implications in keeping it there. Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> --- roles/k3s_agent/tasks/main.yml | 3 +-- roles/k3s_agent/templates/k3s-agent.service.j2 | 2 +- roles/k3s_server/tasks/main.yml | 3 +-- roles/k3s_server/templates/k3s-ha.service.j2 | 2 +- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/roles/k3s_agent/tasks/main.yml b/roles/k3s_agent/tasks/main.yml index 66c943d3c..8db49c09c 100644 --- a/roles/k3s_agent/tasks/main.yml +++ b/roles/k3s_agent/tasks/main.yml @@ -35,14 +35,13 @@ INSTALL_K3S_EXEC: "agent" changed_when: true - - name: Add the token and first server URL for joining the cluster to the environment + - name: Add the token for joining the cluster to the environment no_log: true # avoid logging the server token ansible.builtin.lineinfile: path: "{{ systemd_dir }}/k3s-agent.service.env" line: "{{ item }}" with_items: - "K3S_TOKEN={{ token }}" - - "K3S_URL=https://{{ api_endpoint }}:{{ api_port }}" - name: Copy K3s service file register: k3s_agent_service diff --git a/roles/k3s_agent/templates/k3s-agent.service.j2 b/roles/k3s_agent/templates/k3s-agent.service.j2 index 707cec8b2..4d0bad5ae 100644 --- a/roles/k3s_agent/templates/k3s-agent.service.j2 +++ b/roles/k3s_agent/templates/k3s-agent.service.j2 @@ -26,4 +26,4 @@ RestartSec=5s ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service' ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe overlay -ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} {{ extra_agent_args }} +ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_agent_args }} diff --git a/roles/k3s_server/tasks/main.yml b/roles/k3s_server/tasks/main.yml index f0cd2f6d0..466d56e20 100644 --- a/roles/k3s_server/tasks/main.yml +++ b/roles/k3s_server/tasks/main.yml @@ -181,14 +181,13 @@ - (groups[server_group] | length) > 1 - inventory_hostname != groups[server_group][0] block: - - name: Add the token and first server URL for joining the cluster to the environment + - name: Add the token for joining the cluster to the environment no_log: true # avoid logging the server token ansible.builtin.lineinfile: path: "{{ systemd_dir }}/k3s.service.env" line: "{{ item }}" with_items: - "K3S_TOKEN={{ token }}" - - "K3S_URL=https://{{ api_endpoint }}:{{ api_port }}" - name: Copy K3s service file [HA] when: not use_external_database diff --git a/roles/k3s_server/templates/k3s-ha.service.j2 b/roles/k3s_server/templates/k3s-ha.service.j2 index 60b284b83..131f590e9 100644 --- a/roles/k3s_server/templates/k3s-ha.service.j2 +++ b/roles/k3s_server/templates/k3s-ha.service.j2 @@ -25,4 +25,4 @@ Restart=always RestartSec=5s ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe overlay -ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args }} +ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_server_args }}