search

aws / aws-application-networking-k8s

A Kubernetes controller for Amazon VPC Lattice
https://www.gateway-api-controller.eks.aws.dev/
Apache License 2.0
175 stars 50 forks source link

Add more settings in k8s yaml to prevent privileges escalation #549

Closed zijun726911 closed 12 months ago

zijun726911 commented 12 months ago

Changes

Test

  1. Verify privileges escalation related changes: Do make build-deploy and kubectl apply -f deploy.yaml In one of my EKS worker node, check the controller pods info by sudo ctr -n k8s.io containers info <aws-gateway-controller container id>

For the old one it has:

"process": {
            "user": {
                "uid": 65532,
                "gid": 65532,
                "additionalGids": [
                    65532
                ]
            },

            "capabilities": {
                "bounding": [
                    "CAP_CHOWN",
                    "CAP_DAC_OVERRIDE",
                    "CAP_FSETID",
                    "CAP_FOWNER",
                    "CAP_MKNOD",
                    "CAP_NET_RAW",
                    "CAP_SETGID",
                    "CAP_SETUID",
                    "CAP_SETFCAP",
                    "CAP_SETPCAP",
                    "CAP_NET_BIND_SERVICE",
                    "CAP_SYS_CHROOT",
                    "CAP_KILL",
                    "CAP_AUDIT_WRITE"
                ],
                "effective": [
                    "CAP_CHOWN",
                    "CAP_DAC_OVERRIDE",
                    "CAP_FSETID",
                    "CAP_FOWNER",
                    "CAP_MKNOD",
                    "CAP_NET_RAW",
                    "CAP_SETGID",
                    "CAP_SETUID",
                    "CAP_SETFCAP",
                    "CAP_SETPCAP",
                    "CAP_NET_BIND_SERVICE",
                    "CAP_SYS_CHROOT",
                    "CAP_KILL",
                    "CAP_AUDIT_WRITE"
                ],
                "permitted": [
                    "CAP_CHOWN",
                    "CAP_DAC_OVERRIDE",
                    "CAP_FSETID",
                    "CAP_FOWNER",
                    "CAP_MKNOD",
                    "CAP_NET_RAW",
                    "CAP_SETGID",
                    "CAP_SETUID",
                    "CAP_SETFCAP",
                    "CAP_SETPCAP",
                    "CAP_NET_BIND_SERVICE",
                    "CAP_SYS_CHROOT",
                    "CAP_KILL",
                    "CAP_AUDIT_WRITE"
                ]
            },
            "noNewPrivileges": true,
 "root": {
            "path": "rootfs"
        },

And for the new container info, it changed to:

user": {
                "uid": 65532,
                "gid": 65532,
                "additionalGids": [
                    65532
                ]
            },
capabilities": {},
"noNewPrivileges": true,
"root": {
            "path": "rootfs",
            "readonly": true
        },

  1. Change url from m7r9p7b3 to aws-application-networking-k8s it still can download controller image success, they are equivalent https://gallery.ecr.aws/aws-application-networking-k8s/aws-gateway-controller https://gallery.ecr.aws/m7r9p7b3/aws-gateway-controller

  2. After changing to replicas: 2 in config/manager/manager.yaml and did kubectl apply -f deploy.yaml

    kubectl get pods  -A          
NAMESPACE                           NAME                                      READY   STATUS    RESTARTS   AGE
aws-application-networking-system   gateway-api-controller-55d9d6db66-f9wz5   2/2     Running   0          14m
aws-application-networking-system   gateway-api-controller-55d9d6db66-z9jhm   2/2     Running   0          14m

    For one controller pod: 

    kubectl logs -n aws-application-networking-system gateway-api-controller-55d9d6db66-f9wz5 
....
I1129 05:54:51.579177       1 leaderelection.go:250] attempting to acquire leader lease aws-application-networking-system/amazon-vpc-lattice.io...
....

    For another controller pod: 

    kubectl logs -n aws-application-networking-system gateway-api-controller-55d9d6db66-z9jhm
....
I1129 05:54:51.518876       1 leaderelection.go:250] attempting to acquire leader lease aws-application-networking-system/amazon-vpc-lattice.io...
I1129 05:54:51.532562       1 leaderelection.go:260] successfully acquired lease aws-application-networking-system/amazon-vpc-lattice.io
....

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.