Re: [onap-discuss] [OOM][MSB] Kube2MSB RBAC security issues

Thu, 01 Feb 2018 11:01:58 -0800 

Hi Michael , Huabing

Here is the reason why Kube2MSB failed in RBAC enabled cluster.

The kube2MSB  will use the token from service account kube-system:default. This 
service account doesn't have the admin privileges.

To fix that issue there are 2 ways


1.       Create a clusterrolebinding assign admin privileges to that service 
account



Just run following command:
kubectl create clusterrolebinding kube-system-default-admin-binding 
--clusterrole=cluster-admin --serviceaccount=kube-system:default

                This command should execute once. Should we put it in 
createConfig.sh<https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/config/createConfig.sh;h=154bad58ca7a79d31050546829c770a6abc86ee8;hb=HEAD>
 ?


2.       Instead of using token from service account kube-system:default,  
kube2msb can use the token form service account onap-kube2msb:default .

In 
createAll.bash<https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/oneclick/createAll.bash;h=0240c83e1a1c04fdb26db265e55e4c4866373ea2;hb=HEAD>
  the ClusterRoleBinding is created for onap-kube2msb:default. So that account 
already get the admin privileges.



Change the kube-system to $1-$2


  
87<https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/oneclick/createAll.bash;h=0240c83e1a1c04fdb26db265e55e4c4866373ea2;hb=HEAD#l87>
   # assign default auth token
  
88<https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/oneclick/createAll.bash;h=0240c83e1a1c04fdb26db265e55e4c4866373ea2;hb=HEAD#l88>
   if [[ -z $ONAP_DEFAULT_AUTH_TOKEN ]]; then
  
89<https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/oneclick/createAll.bash;h=0240c83e1a1c04fdb26db265e55e4c4866373ea2;hb=HEAD#l89>
     DEFAULT_SECRET=`kubectl get secrets -n kube-system | grep default-token |  
awk '{ print $1}'`
  
90<https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/oneclick/createAll.bash;h=0240c83e1a1c04fdb26db265e55e4c4866373ea2;hb=HEAD#l90>
     ONAP_DEFAULT_AUTH_TOKEN=`kubectl get secrets $DEFAULT_SECRET -n 
kube-system -o yaml | grep  'token:'  | awk '{ print $2}' | base64 --decode`
  
91<https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/oneclick/createAll.bash;h=0240c83e1a1c04fdb26db265e55e4c4866373ea2;hb=HEAD#l91>
   fi
  
92<https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/oneclick/createAll.bash;h=0240c83e1a1c04fdb26db265e55e4c4866373ea2;hb=HEAD#l92>
  
93<https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/oneclick/createAll.bash;h=0240c83e1a1c04fdb26db265e55e4c4866373ea2;hb=HEAD#l93>
   cmd=`echo helm install $LOCATION/$2/ --name $1-$2 --namespace $1 --set 
nsPrefix=$1,nodePortPrefix=$3,kubeMasterAuthToken=$ONAP_DEFAULT_AUTH_TOKEN 
${HELM_VALUES_ADDITION}`
  
94<https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/oneclick/createAll.bash;h=0240c83e1a1c04fdb26db265e55e4c4866373ea2;hb=HEAD#l94>
   eval ${cmd}
  
95<https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/oneclick/createAll.bash;h=0240c83e1a1c04fdb26db265e55e4c4866373ea2;hb=HEAD#l95>
   check_return_code $cmd

Thanks,
Nicolas


[centos@server-186-kubernetes-master-host-8z2tnf robot]$ kubectl get 
ClusterRoleBinding onap-kube2msb-admin-binding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: 2018-01-30T20:18:49Z
  name: onap-kube2msb-admin-binding
  resourceVersion: "159146"
  selfLink: 
/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/onap-kube2msb-admin-binding
  uid: c838ff8d-05fa-11e8-bad9-fa163efe5022
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: default
  namespace: onap-kube2msb


From: [email protected] 
[mailto:[email protected]] On Behalf Of HU, JUN NICOLAS
Sent: Wednesday, January 31, 2018 12:06 PM
To: OBRIEN, FRANK MICHAEL <[email protected]>; [email protected]
Subject: [onap-discuss] [OOM][MSB] Kube2MSB RBAC security issues

***Security Advisory: This Message Originated Outside of AT&T ***
Reference http://cso.att.com/EmailSecurity/IDSP.html for more information.
Hi,

I created 
https://jira.onap.org/browse/OOM-645<https://urldefense.proofpoint.com/v2/url?u=https-3A__jira.onap.org_browse_OOM-2D645&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=qxToYrwGC0Ebi3fnN8QCAw&m=FKRvO5gSEycke24kCeLHDFH6ID2ZTz8Q5uHvbliHH8E&s=hGyhydVsb2gaMn0XyPeXuB_RyON4gy06U0JjDnGQvA8&e=>.

The Kube2MSB cannot access the apis of pods and services.

Thanks,
Nicolas


_______________________________________________
onap-discuss mailing list
[email protected]
https://lists.onap.org/mailman/listinfo/onap-discuss

Reply via email to