-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
improve security of reboot mechanism #416
Comments
Option 2 is, as you mentioned, about equal to option1B. To our tests, I would say option2 should not be the default option. However, I believe it would be nice to allow people to go for option2 or option3. I feel it's only a slight change to have an option to not wrap with nsenter. You might be interested by #359 for which the security section is relevant for you. |
@evrardjp thanks for the comments! If anything, sending a signal to PID 1 should be the most portable option, in the sense that it has at least some non-zero possibility of working on SysV or other non-systemd systems , unlike
That sounds nice and seems relatively easy. But I wonder if there might be any gotchas with executing /bin/kill (packaged in the kured container image), as opposed to doing Another option would be to have a configurable property --reboot-signal which , if configured, is used instead of --reboot-command, specifying which signal to send to PID 1. What do you think? Either way, the final part would be to actually realize the security benefit by adapting the PSP to grant limited capabilities based on which approach is selected. With Helm that could be done e.g.
or similarly However, if the use_nsenter option would apply to both the reboot command and the sentinel command, the Helm logic could get slightly more complicated. Personally I like the idea of not using an executable command at all to reboot, just send the signal directly, just my 2c. |
My notes are very close to what you're proposing. I used both signals. Even when you think portability isn't a problem with systemd, it actually is. Who really reads what's packaged in the main OSes? Our tests have shown that it sometimes doesn't work. Depends on OS behaviour, apparmor, selinux, etc. Kind + ubuntu without apparmor was not happy last time I tried. I am not against adding this new feature, as long as its properly tested. PS: You should probably check #359 , maybe that could interest you, security wise. Because reducing the scope of the ds isn't a complete solution. PS2: I would say that it's indeed easier to have this in our code. However, the refactoring will be bigger. Not impossible though ;) |
@evrardjp Thanks, I did look at #359 but I think some significant security improvements can be achieved without a major architectural redesign (though that could also have valuable security improvements in its own right).
Certainly. I already tested that SIGINT to PID 1 works as expected and documented on EL7,8. Likewise for SIGRTMIN+5:
If we add a new option that is non-default behaviour, from my point of view as long as kured does what I tell it to do (send the specified signal to PID 1) , it is working correctly, and it is my responsibility (the user) to make sure I configured kured (and my cluster) correctly to have the desired outcome when the nodes receive that signal. Does that seem reasonable?
Okay, do you suggest to proceed with option 2, by signaling in the code and a Thanks! |
I don't see how it can't be done in two PRs, to iterate on this in a "simpler" way. In any case, we can help you with the PRs! :) First PR could tackle adding kill to the kured container, for which you can add tests: It's just a different rebootCommand. That should be a very simple PR. The second PR we could probably remove that kill package from the image, and refactoring the code. That will take a longer time, to define the right refactor. |
@evrardjp Okay thanks! Sorry I am not sure, do you mean for the 1st PR, it would involve basically copying https://github.com/weaveworks/kured/blob/main/tests/kind/follow-coordinated-reboot.sh with a different rebootCommand configured? I'm not sure where the kured config would go in that script. |
This issue was automatically considered stale due to lack of activity. Please update it and/or join our slack channels to promote it, before it automatically closes (in 7 days). |
Still relevant but not sure how to proceed. |
Thank you @rptaylor for the great work detailing the options. Options 1 and 2 allows end-users to run kured without being In terms of next steps, are we happy to proceed with a PR for option 2 that is gated by some sort of feature switch? This would allow for backwards compatibility, so no negative impact on users using the default |
Thanks @pjbgf . As far as I can tell I think a rebootSignal option (non default) would be needed as well as the existing rebootCommand, so that the container can work with only CAP_KILL instead of privileged. I am happy to at least take a stab at that if the maintainers agree. Also if seccomp can limit which kill signals may be sent that could be a possible future improvement, out of scope of current issue. |
This has been an open issue for almost two years now, but there is still no implementation on the issue which I find concerning. We want to run Kured in production clusters but are unable to because the baseline security policy to restrict capabilities cannot be applied to Kured. |
I am pretty sure the team is willing to accept any contributions that improve the security of kured... Keep in mind that it's a tough topic... like many engineering topics, it's all about tradeoffs. I think it's important to know what you want to do with kured, as kured is very flexible. Some of the concerns here can be done without a code change. For the rest, please don't hesitate to contribute too :) |
We're using Kured to restart updated nodes every week during downtime, we get alerts in Teams and are very happy with how it's working. It's only a matter of security or specifically the securitycontext for the daemonset. Since Kured is specifically mentioned in Microsoft Documentation and the use-case for Kured is very useful I was hopeful it was ready for production environments. I would like to contribute but I don't have the Linux expertise and have no downtime. But it's an issue I'm highly anticipating and supporting! |
@evrardjp okay, can we proceed with adding a rebootSignal option then, to send a configurable signal to PID 1 ? |
@rptaylor Yes, I think this would be the best option. |
Going over the code again it seems to me like the best way to proceed IMHO would be: 1st PR
No change in behaviour. 2nd PR
However while reviewing the code I also noticed that although the documentation indicates the default behaviour is to check for existence of a sentinel file, the code nevertheless achieves this by executing a |
For the record I'm a cluster operator not a developer, and I don't know go per se. If someone wants to take a stab at a PR please feel free. Otherwise I could put my copy + paste skills to the test at some point but the refactoring involved to do it properly seems a bit more than I expected at first. |
Hi. What is the status of using Kured without setting |
There's no new status right now @cloud-az. But we need to bring things forward for the security-topic, would be glad if you could help us. |
Just re-read all security-related threads. As discussed in this issue, I think we should start with the implementation of a second reboot-type in addition to the current "command" implementation as described by @rptaylor here. Parallel to that the check logic needs to be adapted with the ro-hostPath approach from #526. TODOs:
I can implement some parts on my own, but I would be happy if someone could help 😉 |
Current state: I've also implemented the first two todos locally and tested it in my home-cluster. The signal in general reboots the server (Ubuntu 20.04 LTS) gracefully, that looks good. However, with this securityContext the command errors with "permission denied": securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- CAP_KILL
drop:
- '*'
privileged: false Does somebody know which other capabilities might be needed? |
Is the process still running as UID 0? The pod will also need hostPID but that was also an old PSP concept. In any case if you set the Pod Security Admission mode to 'warn' it should bypass any of those issues for debugging purposes. |
Thanks for your reply, I will have a more detailed look tomorrow. |
yes The granted capabilities for the container-process are the following,
Neither PSPs nor Pod Security Admission are turned on in the cluster. Edit: Also with |
PR is opened with further testing-instructions: #814 |
An idea:
…
along with
|
@sftim I like that idea, it would only require write privilege to a hostpath , so the container could be fully unprivileged, no need to execute commands or send signals. I didn't know systemd could trigger based on a path, neat. Another reboot method "path" in addition to the "command" and "signal" ones would be needed. That being said, setting up systemd unit files on the node means more of the solution is living outside kured and would need to be configured out of band. However, a systemd timer (like a cron job) would be useful to apply the OS updates in the first place on nodes and set a sentinel flag. So, that would make a valid rationale for cluster admins to be adding systemd files on their nodes already. |
The systemd method could be one option of several, and would suit cluster admins who make (or consume) custom OS images. A custom node image can include a reboot trigger path for Pods to use. |
Hello,
We would really like to use kured but there is reluctance about a fully privileged daemonset that has access to execute arbitrary commands as root on every node. I have reviewed some options that could allow rebooting more securely.
/bin/systemctl reboot
by default) in the host namespace to reboot. Requires full privileges.Comparisons
All the options still require hostPID: true.
Anyway do you think option 2 is at least a clear improvement over 0 and might be suitable as a new default behaviour? And maybe Option 1 A (or B if possible) could be configurable as more secure alternatives?
The text was updated successfully, but these errors were encountered: