Securing Controller Manager and Scheduler Metrics

最新推荐文章于 2024-05-16 16:55:45 发布
最新推荐文章于 2024-05-16 16:55:45 发布
阅读量478 收藏
点赞数
分类专栏: K8S
原文链接:https://octetz.com/docs/2018/2018-12-05-securing-controller-and-scheduler/
版权
K8S 专栏收录该内容
104 篇文章 133 订阅
订阅专栏

I've been looking into interacting with the secure (tls) ports for the kube-scheduler and kube-controller-manager and wanted to share my findings.

Video Walkthrough:

Click here to watch the video version of this content.

Based on the 1.12 changelog, secure serving on 10257 to the kube-controller-manager is enabled:

Secure serving on port 10257 to kube-controller-manager (configurable via –secure-port) is now enabled. Delegated authentication and authorization are to be configured using the same flags as for aggregated API servers. Without configuration, the secure port will only allow access to /healthz. (#64149, @sttts) Courtesy of SIG API Machinery, SIG Auth, SIG Cloud Provider, SIG Scheduling, and SIG Testing

Based on the 1.13 changelog secure serving on 10259 to the kube-scheduler is enabled:

Added secure port 10259 to the kube-scheduler (enabled by default) and deprecate old insecure port 10251. Without further flags self-signed certs are created on startup in memory. (#69663, @sttts)

With the kube-controller-manager running, we can call the pod IP and verify /healthz is available.

curl https://10.30.0.12:10257/healthz -k

ok

When calling the /metrics endpoint, you'll get less satisfying results.

curl https://10.30.0.12:10257/metrics -k

Internal Server Error: "/metrics": subjectaccessreviews.authorization.k8s.io is forbidden: User "system:kube-controller-manager" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope

You might wonder why this path/resource is different than /healthz. It turns out /healthz is automatically set for authorization to always allow it. By setting --authorization-always-allow-paths=/healthz,/metrics on the kube-controller-manager, we can get /metrics to behave the same. Instead, let's force authorization of the client to ensure not just anyone can scrape these system components.

We want kube-controller-manager to delegate authorization decisions to kube-apiserver. It does this by sending a SubjectAccessReview.

kube-controller-manager must be bound to the existing system:auth-delegator ClusterRole.

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: system:kube-controller-manager:auth-delegate
subjects:
- kind: User
  name: system:kube-controller-manager
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: system:auth-delegator
  apiGroup: rbac.authorization.k8s.io

After applying the ClusterRoleBinding, request the metrics endpoint. It will now show we cannot access the /metrics url.

curl https://10.30.0.12:10257/metrics -k

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/metrics\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403
}

For this example, let's give default:default (<namespace>:<service-account>) access to the /metrics nonResourceURLs. Normally you'd be providing this access to a Prometheus service account.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secure-metrics-scrape
rules:
- apiGroups:
  - ""
  resources:
  - nodes/metrics
  verbs:
  - get
- nonResourceURLs:
  - /metrics
  verbs:
  - get

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metrics-endpoint
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: secure-metrics-scrape
subjects:
- kind: ServiceAccount
  name: default
  namespace: default

Retrieve the default:default token into an environment variable.

TOKEN=$(kubectl describe secret $(kubectl get secrets -n default | grep ^default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d " ")

Request the secure metrics endpoint again.

curl https://10.30.0.12:10257/metrics --header "Authorization: Bearer $TOKEN" -k

...
volumes_work_duration{quantile="0.5"} NaN
volumes_work_duration{quantile="0.9"} NaN
volumes_work_duration{quantile="0.99"} NaN
volumes_work_duration_sum 0
volumes_work_duration_count 0

Hopefully this provides a better idea of how secure port communication and authorization works. You can take these learnings and setup secure interactions from clients like Prometheus.

转载至https://octetz.com/docs/2018/2018-12-05-securing-controller-and-scheduler/

victoruu
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
【Kubernetes】 configmaps is forbidden User system:anonymous cannot list resource configmaps
九师兄
07-01 3385
1.背景 mac安装Kubernetes后登录报错 【Docker】Mac下Docker启动Kubernetes 给匿名用户授权即可解决,测试环境可用此快速解决 (base) lcc@lcc kubernetes$ kubectl create clusterrolebinding test:anonymous --clusterrole=cluster-admin --user=system:anonymous clusterrolebinding.rbac.authorization.k8s.io/.
Hacking and Securing iOS Applications 无水印pdf
09-25
Hacking and Securing iOS Applications 英文无水印pdf pdf所有页面使用FoxitReader和PDF-XChangeViewer测试都可以打开 本资源转载自网络,如有侵权,请联系上传者或csdn删除 本资源转载自网络,如有侵权,请...
Kube-Scheduler配置与源码分析
a1023934860的博客
06-13 654
在kubernetes中,组件的配置文件格式都推荐使用yaml格式,scheduler也不例外。下面是scheduler启动时所需要的全局配置类。 源码分析 请牢记上面的配置信息,这样便于在阅读代码时知其所以然。在启动时,第一步必然是对配置信息进行解析,校验,填充等工作。 我们重点关注newDefaultComponentConfig(),该方法会创建KubeSchedulerConfiguration类以及对其进行初始化操作,该操作会创建 只是指定了调度器的名称,但是通过该名称就可以检索出需要的调度
解决k8s访问报anonymous cannot get path的问题
云深海阔专栏
06-01 9877
k8s图形界面登录报错如下 { "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"", "reason": "Forbidden", "details": { }, "code": 403 } 证书问题,
metrics-server状态是running,但是无法获取集群信息error: Metrics API not available
最新发布
qq_52787609的博客
05-16 352
安装Kuboard之前,使用kubectl top pods是可以得到集群的容器资源占用情况的。但是安装了Kuboard之后,kubectl top pods指令一直无效。下面的内容可以保存为 auth-server.yaml。
Error from server (Forbidden): Forbidden (user=system:anonymous, verb=get, resource=nodes, subresour
qq_46480020的博客
03-25 3478
Error from server (Forbidden): Forbidden (user=system:anonymous, verb=get, resource=nodes, subresource=proxy) K8s Master1节点上查看日志,报错Error [root@master1 ~]# kubectl logs nginx-deployment-5477945587-jwlgz Error from server (Forbidden): Forbidden (user=system:
匿名用户被禁止访问configmaps is forbidden: User "system:anonymous" cannot list resource "configmaps" in API g
wangmiaoyan的博客
11-26 1万+
configmaps is forbidden: User “system:anonymous” cannot list resource “configmaps” in API group “” in the namespace “default” 给匿名用户授权即可解决,测试环境可用此快速解决 kubectl create clusterrolebinding test:anonymous ...
Syngress - Securing Exchange Server and Outlook Web Access.pdf
08-10
Syngress - Securing Exchange Server and Outlook Web Access.pdf
How to Cheat at Deploying and Securing RFID
10-03
As an engineering manager, he has been at the ground floor of several startups. He is the author of the following four books: SCJP Exam for J2SE 5: A Concise and Comprehensive Study Guide for The Sun...
Hacking and Securing iOS Applications
05-13
Hacking and Securing iOS Applications ,主要介绍了ios方面安全与防护方面的问题,主要是分为两个部分: 1.如何hack; 2.如何防护
Securing Exchange Server 2003 and Outlook Web Access
01-07
Securing Exchange Server 2003 and Outlook Web Access
k8s通过Kuboard安装Metrics server报错的解决办法
qq_34168515的博客
05-15 5421
文章目录通过Kuboard安装Metrics server确认 metrics-server 是否正常运行确认 ApiService 是否正常排查步骤1,根据ApiService的日志,查443端口排查步骤2,metrics-server pod日志 查4443端口解决,既然443端口访问不了,那么久访问4443,改造server顺利解决 通过Kuboard安装Metrics server 出现的问题可以参考官网:https://kuboard.cn/install/faq/metrics-server.h
Kubernetes dashboard1.8.0 WebUI安装与配置
热门推荐
Aurora Silent
12-19 3万+
kubernetes-dashboard.yamlapiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: kubernetes-dashboard addonmanager.kubernetes.io/mode: Reconcile name: kubernetes-dashboard namespac
Kubernetes CKS【10】---Cluster Hardening - Restrict API Access
爱死亡机器人
04-25 729
介绍 Practice - Anonymous Access root@master:~/cks/serviceaccount# curl https://localhost:6443 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify
centos7 使用 kubeadm 安装 kubernetes
Man_In_The_Night的博客
11-19 559
centos7 使用 kubeadm 安装 kubernetes 时间: 20191118 系统: CentOS Linux release 7.6.1810 vm: k8s-master: 192.168.116.4 k8s-node01:192.168.116.5 使用最新版的 kubeadm [root@k8s-master ~]# kubeadm config images list W1...
k8s 身份验证
discsthnew的博客
03-24 4410
译自官方文档: https://kubernetes.io/docs/admin/authentication/#users-in-kubernetes Users in Kubernetes 认证策略 X509 客户端证书 Static Token File 使用token请求 Bootstrap Tokens 静态密码文件 Service Account Tokens OpenID ...
Windows System Error Codes (exit codes)
lovenjoy的专栏
09-02 7901
Improve your productivity and save time.  Let your system work for you. Description The Command and WinCommand task sometimes do not return any error messages, when your batch files fail.  These t
k8s之service account
fengcai_ke的博客
07-11 3396
k8s service account分析
securing the quality of supplies
05-13
保证供应品质需要从供应链的设计、采购、供应商管理、物料检测等方面进行综合管理。首先,应根据公司的产品战略和需求设计供应链,确定合适的物料策略、供应商策略和库存策略。在采购过程中,应对供应商进行严格审查...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值