feat: add kubelet systemd service hardening option

[alegrey91]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Improve security of kubelet service, minimizing access through systemd.

Which issue(s) this PR fixes:

Fixes #9107

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Add kubelet systemd service hardening option `kubelet_systemd_hardening: [true|false]`

[k8s-ci-robot]

Hi @alegrey91. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cristicalin]

We may be dealing with multi-homed hosts which have dedicated management interfaces (think ssh access only) and use a separate interface for kubelet traffic. This hardening setup should allow to bind to dedicated interfaces IMHO.

[alegrey91]

Hi @cristicalin,
tell me know if I understand correctly.
Actually you don't need to bind a dedicated interface for kubelet.
The systemd service set a dedicated firewall just for the running binary (in this case kubelet).
If you try to access ssh, you are free to do this because the firewall does not intervene on the ssh incoming packets.

Here's the example:
From the control plane node, we run a python -m http.server 9999 (not managed by the systemd service), and from an external machine, we run this:

curl --max-time 5 http://10.0.126.110:9999/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
</ul>
<hr>
</body>
</html>

Then, always from the control plane node, we start the systemd service for kubelet. From an external machine we run this:

curl --max-time 5 -k https://10.0.126.110:10250/pods/
curl: (28) Connection timed out after 5001 milliseconds

As you can see, in the second example, the systemd firewall is intervening only on kubelet service, blocking the incoming packets. The other packets, instead, are not interested by the firewall.

[cristicalin]

What I meant was on this line:

{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_host']) | join(' ') }}

You are making the assumption that only the main interface is used where the deployer may want to have the kubelet interface set to a different interface. ansible_host is the IP on which the ansible controller connects to the host which may not be the IP that the deployer wants to use for this type of traffic.

[alegrey91]

Ok, now I got your point.
So, essentially we should list the IPs used by the kube-apiserver, instead of the ansible_host variable.
This because the kube-apiserver is the only component that communicates with the kubelet.

[alegrey91]

@cristicalin do you have suggestions on how to retrieve this information? I'm stuck here

[alegrey91]

What if we set the kubelet_secure_address as {{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_host'] | join(' ') }} by default, so the user should not deal with this variable in a common case. Instead, when needed, it can be changed.
In case the user bound the kube-apiserver to a different interface (that is not the one used by ansible), it should just define the variable in this way: kubelet_secure_address="172.16.23.10 172.16.23.11 172.16.23.12".

[cristicalin]

You should be mindful of variable precedence if doing that but I'd like to see an example of how the code would look like.

[alegrey91]

I updated the code. Take a look and let me know what do you think :)

[alegrey91]

The variable that you suggested is defined like so:

 kubelet_secure_address: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_host']) | join(' ') }}"

You can just override it in this way:

kubelet_secure_address: "172.16.23.10 172.16.23.11 172.16.23.12"

[alegrey91]

Sorry @cristicalin, did you take a look at the code?

[oomichi]

Nice work

/ok-to-test
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alegrey91, oomichi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [oomichi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cristicalin]

The variable name is singular and the example is in the plural, this is confusing, the example should make it clear how to set these either on a per node basis and change the way the list is compiled or rename the variable to the plural and explain that the variable is a list of addresses from the secure interface of each node.

[alegrey91]

Yes, probably the variable should be renamed in kubelet_secure_addresses.

[cristicalin]

Since this patch can affect the way kube-apiserver talks to the kubelets, I think it would be nice to include a diagram explaining the connectivity flow and how it can be moved to a dedicated interface.

[alegrey91]

Since this patch can affect the way kube-apiserver talks to the kubelets, I think it would be nice to include a diagram explaining the connectivity flow and how it can be moved to a dedicated interface.

Yes, I agree. Where should I insert the diagram?
What to you think about this?

[cristicalin]

Hi @alegrey91 , please rebase this PR on latest state of the master branch to be able to pass the CI tests.

You can place the diagram as an image in docs/img and inline it in hardening.md.

[alegrey91]

Hi @cristicalin, I just rebased and added the diagram. Thanks for your help with the PR :)

[cristicalin]

Thanks @alegrey91

/lgtm

[alegrey91]

Thanks @cristicalin and @oomichi