Skip to content

Commit

Permalink
feat: disallow anonymous requests by default (kube-apiserver)
Browse files Browse the repository at this point in the history 
This is inline with CIS guidelines. Otherwise the kube-apiserver will pass along the request with the group
set to `system:unauthenticated`. This will expose anything that is allowed by the `system:public-info-viewer`
and `system:discovery` cluster roles.

Signed-off-by: Rio Kierkels <[email protected]>
Signed-off-by: Andrey Smirnov <[email protected]>
(cherry picked from commit f71b583)
  • Loading branch information
@rio @smira
rio authored and smira committed Jun 10, 2022
1 parent d5f16f0 commit 1e4417d
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 3 deletions.
15 changes: 15 additions & 0 deletions hack/release.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,21 @@ Can be especially useful to check network interfaces changes that may lead to th
description="""\
Talos machine configuration supports specifying network interfaces by selectors instead of interface name.
See [documentation](https://www.talos.dev/v1.1/talos-guides/network/device-selector/) for more details.
"""

[notes.anonymous]
title = "Kubernetes API Server Anonymous Auth"
description="""\
Anonymous authentication is now disabled by default for the `kube-apiserver` (CIS compliance).
To enable anonymous authentication, update the machine config with:
```yaml
cluster:
apiServer:
extraArgs:
anonymous-auth: true
```
"""

[make_deps]
Expand Down
8 changes: 5 additions & 3 deletions internal/app/machined/pkg/controllers/k8s/control_plane_static_pod.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,9 +300,11 @@ func (ctrl *ControlPlaneStaticPodController) manageAPIServer(ctx context.Context
}

builder := argsbuilder.Args{
"admission-control-config-file": filepath.Join(constants.KubernetesAPIServerConfigDir, "admission-control-config.yaml"),
"advertise-address": "$(POD_IP)",
"allow-privileged": "true",
"admission-control-config-file": filepath.Join(constants.KubernetesAPIServerConfigDir, "admission-control-config.yaml"),
"advertise-address": "$(POD_IP)",
"allow-privileged": "true",
// Do not accept anonymous requests by default. Otherwise the kube-apiserver will set the request's group to system:unauthenticated exposing endpoints like /version etc.
"anonymous-auth": "false",
"api-audiences": cfg.ControlPlaneEndpoint,
"authorization-mode": "Node,RBAC",
"bind-address": "0.0.0.0",
Expand Down

0 comments on commit 1e4417d

Please sign in to comment.