Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improve security of sentinel mechanism #526

Closed
rptaylor opened this issue Apr 4, 2022 · 6 comments
Closed

improve security of sentinel mechanism #526

rptaylor opened this issue Apr 4, 2022 · 6 comments
Labels
enhancement keep This won't be closed by the stale bot. security
Milestone
1.15.0

Comments

@rptaylor
Copy link

rptaylor commented Apr 4, 2022
edited
Loading

The default sentinel behaviour is to check for the existence of a file on the host. This is done using a test -f command executed on the host with nsenter:
https://github.com/weaveworks/kured/blob/main/cmd/kured/main.go#L661

I would propose refactoring this to achieve the same thing in a different way, using a (read-only) hostPath to check for existence of a file on the host, while keeping the non-default option to run an arbitrary sentinel command in the host namespace unchanged. In conjunction with #416 this would allow kured to be non-privileged. This could mostly be handled by the Helm chart, mounting a configurable directory on the host (the sentinel file itself could not be mounted as a file-type hostPath because it would normally not exist).

volumes: 
  - name: sentinel
    hostPath:
      path: /somewhere_configurable
      type: Directory

volumeMounts:
  - name: sentinel
    mountPath: /somewhere_arbitrary
    readOnly: true

A rebootSentinel option already exists in the helm chart and kured CLI.
Looks like these helm path helpers would be perfect to split up the given rebootSentinel path; Dir could be used to get the hostPath directory to mount and Base could be passed to the kured executable, to find the file name inside the arbitrary directory in the pod.
@rptaylor rptaylor mentioned this issue Apr 4, 2022
Closed
@ckotzbauer
Copy link
Member

I like this idea, it could improve the security for the "default way". However, for custom sentinel-commands this would not be possible. nsenter is still needed there. Maybe this is a job for the helm-chart to limit privileges when the default-sentinel-mechanism is used and use the current privilege-level when using custom commands.

@rptaylor
Copy link
Author

rptaylor commented Apr 5, 2022

Yes, I was thinking along the same lines as #416, there could be a new option rebootSentinelMethod with default value "file"; can also be "command". The helm chart could have a bit of logic that sets the pod to privileged if either rebootMethod or rebootSentinelMethod is "command".

@github-actions
Copy link

github-actions bot commented Jun 5, 2022

This issue was automatically considered stale due to lack of activity. Please update it and/or join our slack channels to promote it, before it automatically closes (in 7 days).

@ckotzbauer ckotzbauer added keep This won't be closed by the stale bot. and removed no-issue-activity labels Jun 5, 2022
@rptaylor
Copy link
Author

rptaylor commented Jun 6, 2022

Still relevant.

@ckotzbauer ckotzbauer mentioned this issue Feb 3, 2023
Closed
@ckotzbauer ckotzbauer mentioned this issue Aug 4, 2023
Closed
@ckotzbauer
Copy link
Member

PR #813 is open, there's a detailed description of the implementation and why the mount-point will not be readonly.

@ckotzbauer ckotzbauer added this to the 1.15.0 milestone Aug 12, 2023
@ckotzbauer
Copy link
Member

#814 is merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement keep This won't be closed by the stale bot. security
Projects
None yet
Milestone
1.15.0
Development

Successfully merging a pull request may close this issue.

Sentinel-command without nsenter by default kubereboot/kured
2 participants
@rptaylor @ckotzbauer