Prevent unauthenticated user from getting version information from the cluster
search cancel

Prevent unauthenticated user from getting version information from the cluster

book

Article ID: 337408

calendar_today

Updated On:

Products

Tanzu Kubernetes Grid Tanzu Kubernetes Runtime VMware Tanzu Kubernetes Grid VMware Tanzu Kubernetes Grid 1.x

Issue/Introduction

Denying access to an unauthenticated user could be a security requirement in some cases

Symptoms:

Using  API  cluster information can be obtained if the default cluster role system:public-info-viewer is used - in other words if unauthenticated uses Cluster API he can get the cluster version with default role.  
$kubectl get clusterrole system:public-info-viewer -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2023-09-13T16:19:37Z"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:public-info-viewer
  resourceVersion: "87"
  uid: ########-####-####-####-#########
rules:
- nonResourceURLs:
  - /healthz
  - /livez
  - /readyz
  - /version
  - /version/
  verbs:
  - get

By removing from this cluster role (the "/version", "/version/" entries)  the availability of this information via the same API call is prevented, if user is unauthenticated against a cluster,
This is something that we don't want to be obtainable for anyone who is unauthenticated.

Environment

VMware Tanzu Kubernetes Grid 1.x

Cause

Default cluster role allow unauthenticated user getting cluster version information.

Resolution


The https://kubernetes.io/docs/reference/access-authn-authz/rbac/#auto-reconciliation  mentioned the following  approach, please read carefully the warning and caution from the Kubernetes documentation before proceeding to the change:

Auto-reconciliation

At each start-up, the API server updates default cluster roles with any missing permissions, and updates default cluster role bindings with any missing subjects. This allows the cluster to repair accidental modifications, and helps to keep roles and role bindings up-to-date as permissions and subjects change in new Kubernetes releases.


"To opt out of this reconciliation, set the rbac.authorization.kubernetes.io/autoupdate annotation on a default cluster role or rolebinding to false. Be aware that missing default permissions and subjects can result in non-functional clusters."

After running a test, and upgrade operation and recreation of control planes the applied change was preserved and was not autoupdated 


Edit the cluster role and change the line in bold (rbac.authorization.kubernetes.io/autoupdate)  from true to false and remove the /version and /version/ from the rules :

kubectl get clusterrole system:public-info-viewer -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "false"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:public-info-viewer
rules:
- nonResourceURLs:
  - /healthz
  - /livez
  - /readyz
  verbs:
  - get

 

Additional Information

Impact/Risks:
Be aware that missing default permissions and subjects can result in non-functional clusters as per Kubernetes documentation.
This article was created based on TKG testing cluster and only removing the version from the allowed operations. Removing any other options can lead to unresponsive cluster and problems with the reconciliation.

Powered by Wolken Software