search

kubernetes / kops

Kubernetes Operations (kOps) - Production Grade k8s Installation, Upgrades and Management
https://kops.sigs.k8s.io/
Apache License 2.0
15.98k stars 4.65k forks source link

Qualys scan isse: certificate on port 10250 self-signed #5439

Closed mirnujAtom closed 5 years ago

mirnujAtom commented 6 years ago

Thanks for submitting an issue! Please fill in as much of the template below as you can.

------------- BUG REPORT TEMPLATE --------------------

  1. What kops version are you running? The command kops version, will display this information. kops 1.9.1

  2. What Kubernetes version are you running? kubectl version will print the version if a cluster is running or provide the Kubernetes version specified as a kops flag. v1.9.7

  3. What cloud provider are you using? AWS

  4. What commands did you run? What is the simplest way to reproduce this issue?

    openssl s_client -CApath ./  -connect localhost:10250

  5. What happened after the commands executed? The cert on Kubelet port seems to be self signed:

    
# cp /srv/kubernetes/ca.crt ca.pem
# c_rehash ./
Doing ./
ca.pem => 62d3b11c.0

openssl s_client -CApath ./ -connect localhost:10250

CONNECTED(00000003) depth=0 CN = redacted@123456789 verify error:num=18:self signed certificate verify return:1 depth=0 CN =redacted@123456789 verify return:1

6. What did you expect to happen?

Expected it to be signed with kubernetes CA as kube-api cert:

openssl s_client -CApath ./ -connect localhost:443

CONNECTED(00000003) depth=1 CN = kubernetes verify return:1 depth=0 CN = kubernetes-master verify return:1

Certificate chain 0 s:/CN=kubernetes-master i:/CN=kubernetes

7. Please provide your cluster manifest. Execute
  `kops get --name my.example.com -o yaml` to display your cluster manifest.
  You may want to remove your cluster name and other sensitive information.

8. Please run the commands with most verbose logging by adding the `-v 10` flag.
  Paste the logs into this report, or in a gist and provide the gist link here.

9. Anything else do we need to know?
I am unsure if it is a bug or an expected behavior, but Qualys scan fails on TLS configuration of kubelet.  Even though kubelet checks for the client's cert CA it does not provide any proofs of validity to the client:

Acceptable client certificate CA names /CN=kubernetes



Which makes me think that whatever client (kube-api?) does not do TLS validation check when communicates to kubelet which makes this communication almost unencrypted (MIM attack possible?).

------------- FEATURE REQUEST TEMPLATE --------------------

1. Describe IN DETAIL the feature/behavior/change you would like to see.

2. Feel free to provide a design supporting your feature request.
mirnujAtom commented 6 years ago

Tested on k8s 1.10.3/KOPS 1.10, still the same behavior:

ip-10-6-172-52` core # openssl s_client -CApath ./  -connect localhost:10250
CONNECTED(00000003)
depth=1 CN = ip-10-6-172-52.eu-west-1.compute.internal-ca@1535466301
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain

In contrast here is the output of the same in AWS k8s service:


CONNECTED(00000003)
depth=1 CN = kubernetes
verify return:1
depth=0 O = system:nodes, CN = system:node:ip-172-31-10-253.us-west-2.compute.internal
verify return:1```
fejta-bot commented 6 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

fejta-bot commented 5 years ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten

fejta-bot commented 5 years ago

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /close

k8s-ci-robot commented 5 years ago

@fejta-bot: Closing this issue.

In response to [this](https://github.com/kubernetes/kops/issues/5439#issuecomment-457842409): >Rotten issues close after 30d of inactivity. >Reopen the issue with `/reopen`. >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Send feedback to sig-testing, kubernetes/test-infra and/or [fejta](https://github.com/fejta). >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.