Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add PSA to block host field in probe/lifecycle handlers #4942

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

tssurya
Copy link

@tssurya tssurya commented Nov 3, 2024

  • One-line PR description: Add PSA to block host field in probe/lifecycle handlers
  • Other comments:

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Nov 3, 2024
@k8s-ci-robot k8s-ci-robot added the kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory label Nov 3, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tssurya
Once this PR has been reviewed and has the lgtm label, please assign enj for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Nov 3, 2024
Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
@aojea
Copy link
Member

aojea commented Nov 4, 2024

not familiar with the mechanics of this admission plugin, the trickiest part seems to handle the roll out of the feature, as some pods will be impacted by the new policy on upgrade. Things like a rolling update on a deployment comes to mind, where valid pods will created and will be impacted, despite the existing ones running will not.

From the network perspective +1 from me, most people should not use the host field, although there are case that is used for polling external endpoints and now it can not be removed without breaking existing workloads, but seems correct to warn these users about the risk they are running by doing that.

cc: @tallclair @liggitt

Comment on lines +87 to +95
## Motivation

**Probe-based Blind SSRF Attacks**: The current definition of TCP and
HTTP probes allows the user to specify an alternative hostname/IP to
connect to rather than the pod IP. (The expected use is for sending a
probe via a HostPort, NodePort, or LoadBalancer IP.) But this allows a
"blind SSRF" (Server-Side Request Forgery) attack, in which a pod can
trick kubelet into sending an HTTP GET request to an arbitrary URL (or
portscanning TCP ports on arbitrary hosts). ([kubernetes #99425])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to repeat this; you just said all that in the summary.
But you should keep the Goals/Non-Goals section, even if there's only a single Goal.


There is a long term plan to deprecate the existing TCP and HTTP probe
types in the API to replace them with ones with slightly different semantics.
See the [KEP](https://github.com/kubernetes/enhancements/pull/4558) for more
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
See the [KEP](https://github.com/kubernetes/enhancements/pull/4558) for more
See [KEP-4559](https://github.com/kubernetes/enhancements/pull/4558) for more

Meanwhile, the older API is never going to go away. So we also want to
add PSA to allow admins to be able to restrict users from creating
probes with the Host field set when using the (about to be deprecated) API.
Here is the [draft PR](https://github.com/kubernetes/kubernetes/pull/125271)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(again I'd mention the PR number in the text. "This is implemented by [kubernetes #125271]" or something)


Consider including folks who also work outside the SIG or subproject.
-->
N/A
Copy link
Contributor

@danwinship danwinship Nov 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can remove the HTML comments after you fill the section in.

Anyway, I think you could say there's a risk, which is that some people may be depending on this functionality, and the mitigation for that is that the admin doesn't have to block it. But there's no way to make the existing feature safe, so we think blocking it is the right thing to do.

<!--
Based on reviewers feedback describe what additional tests need to be added prior
implementing this enhancement to ensure the enhancements have also solid foundations.
-->
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None

heartbeats, leader election, etc.)
-->

TBD
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No

[existing SLIs/SLOs]: https://git.k8s.io/community/sig-scalability/slos/slos.md#kubernetes-slisslos
-->

TBD
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No


###### How does this feature react if the API server and/or etcd is unavailable?

TBD
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

N/A; it's an apiserver feature

# The following PRR answers are required at alpha release
# List the feature gate name and the components for which it must be enabled
feature-gates:
- name: N/A We decided to go with PSA versioning
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't put freeform text in kep.yaml; some scripts try to interpret it. Just leave this empty.


# The following PRR answers are required at beta release
metrics:
- my_feature_metric
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(remove the fake metric)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants