KEP: hardened exec requests

[tallclair]

Harden exec requests against SSRF vulnerabilities. See kubernetes/kubernetes#92914 for motivation.

For #1898.

/sig node api-machinery
/area security

/cc @liggitt @cjcullen @mtaufen

[k8s-ci-robot]

@tallclair: The label(s) area/security cannot be applied, because the repository doesn't have them

In response to this:

Harden exec requests against SSRF vulnerabilities. See kubernetes/kubernetes#92914 for motivation.

For #1898.

/sig node api-machinery
/area security

/cc @liggitt @cjcullen @mtaufen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sftim]

Aside: if you wanted to preserve the UID checking behavior, it might be feasible to make up a conditional header If-UID: and fail requests where that's set and not the same as the running Pod's UID.

[tallclair]

I don't think it's used anywhere. It would be easy enough to add this approach later if a use case arose.

[sftim]

https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#websockets-and-spdy says:

Clients should use the SPDY protocols if their clients have native support, or WebSockets as a fallback.
…
In the future, an HTTP/2 implementation will be exposed that deprecates SPDY.

Is that still accurate?

[sftim]

I'm not clear on why some clients (browsers?) aren't able to use POST + WebSocket - it'd be nice to have that clarified.

[liggitt]

correct. browsers don't allow controlling the http method when opening a websocket

[sftim]

I think I get it. If I'm right, the challenge here is that the client sends a single request to the API server that is both an upgrade request and request for a command execution. But I'm not sure I've understood, even after re-reading several times.

I haven't looked at the API here because I don't think there's documentation on how this works. The upgrade to WebSocket includes the exec request in its query string. So the options could include:

1. Retain current behavior because it's not vulnerable to this attack (?)
2. POST requesting an exec, API server returns a WebSocket URI, client send a (GET) Upgrade: to open that WebSocket, continue conversation over WebSocket
3. Client requests a WebSocket, upgrade happens, and then within the WebSocket stream request an exec

I couldn't be sure I've understood what this section is calling for. With that in mind, would you be willing @tallclair to reword this to clarify?

[tallclair]

1. It is vulnerable to attack, but by locking it down to only websocket requests, it makes it harder to exploit (especially in environments where websockets aren't used).
2. This is similar to the approach we previously took for the apiserver <-> CRI communications. I like the idea, but it's also a breaking change. We could skip the caching layer that we used in the CRI implementation by just signing the request parameters (i.e. POST request to get the signed query params, follow up with the GET including the signature)
3. I'm not familiar enough with the websocket protocol to know how complicated this would be. It's certainly feasible, but as it's also a breaking change I'm not sure how it compares with Role-based access control (RBAC) #2

I'll update the KEP with these alternatives.

[tallclair]

Updated with these options.

[liggitt]

What does a browser do if it is redirected from an https://... endpoint to a wss://... endpoint? Does it open a websocket request?

[sftim]

GET (and other HTTP verbs) don't have any meaning for WebSockets, so I think the browser will error out.
(untested)

[tallclair]

I haven't tested it, but the redirected request would be missing the required headers for the opening handshake, so I assume it wouldn't work. https://tools.ietf.org/html/rfc6455#section-1.3

[tallclair]

Thinking about this more, I have a strong preference for "alternative 1" (hash of request as a subprotocol). Alternative 2 (exec token request) would require managing a signing key and option 3 (make request over the websocket connection) would be a much larger change. Since headers can't be modified on a redirect, I think the hash approach provides sufficient protection with minimal changes on the client & server side. We just need a well-defined serialized input for the hash function. Then the question is whether we want to tie this to the HardenedExecRequests feature gate.

[knight42]

@tallclair I just noticed this KEP when I am drafting #1908. Would it help if we make kubectl not follow redirects by default?

[tallclair]

Yes, I think these 2 approaches are complementary, and we should pursue both.

[tallclair]

/assign @liggitt

[derekwaynecarr]

/assign

I won’t be able to read in depth until next week.

[liggitt]

a few initial questions

[liggitt]

does this match current behavior?

[tallclair]

The current behavior completely ignores the request body. Only the query parameters are used.

[liggitt]

What does a browser do if it is redirected from an https://... endpoint to a wss://... endpoint? Does it open a websocket request?

[mlbiam]

A few thoughts:

1. Agree that there shouldn't be any redirects followed.
2. I really like the idea of using a POST with any API call to initiate the request, even if it's breaking. The current method of using a combination of request parameters and headers is really painful to implement. I spent days looking through the code and test cases to try to decipher it.

i can setup a quick test to answer @liggitt question about what browsers will do on a redirect from a GET to wss://. My guess is it will just follow it.

[tallclair]

Thanks @mlbiam !

i can setup a quick test to answer @liggitt question about what browsers will do on a redirect from a GET to wss://. My guess is it will just follow it.

If you get a chance to test this, that would be great! I think a redirect from a https:// URL to a wss:// URL will be rejected because it doesn't have the correct headers, but I'm guessing a redirect from wss:// to wss:// will work.

[mlbiam]

@tallclair

I think a redirect from a https:// URL to a wss:// URL will be rejected because it doesn't have the correct headers

That brings up a really good question. Does it matter if a redirect works? A redirect from a GET to wss:// would only ever happen from a js library inside of a browser, right? just a simple 302 from the url bar wouldn't do much to your point.

[tallclair]

If the redirect works, it's more important that we get redirect protection on websocket requests. If the redirect doesn't work, we might be able to treat them as their own thing.

[derekwaynecarr]

I think the open questions are addressable after the alpha phase, and this has sufficient detail to move forward.

/approve
/lgtm

[derekwaynecarr]

I agree with this goal, my fear is that it may not have been honored ;-)

[derekwaynecarr]

for the history buffs, i think this links back to 2016 when we moved away from it.
kubernetes/kubernetes#24921

[derekwaynecarr]

I agree that POST is also semantically better because a GET should not have changed system state.

[derekwaynecarr]

I am inclined to just remove it. We gave no version guarantee on the endpoint.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: derekwaynecarr, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/sig-node/OWNERS [derekwaynecarr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liggitt]

2. I really like the idea of using a POST with any API call to initiate the request, even if it's breaking

If that comment refers to the kubelet API, we can do that assuming the kube-apiserver is the only client.

If that comment refers to the kube-apiserver API, then requiring a POST breaks existing browser websocket clients with no recourse.