Kubernetes kube-proxy未授權訪問漏洞
1.當kube-proxy使用以下配置時,會被掃出未授權訪問漏洞
--metrics-bind-address=10.10.10.10:10249
2.為了避免這個漏洞,就把這個配置去掉了,但是kube-proxy還是默認打開這個端口的
通過以下地址仍然可以訪問,不過安全性稍微提高了一點,只能本機訪問
curl localhost:10249/metrics curl 127.0.0.1:10249/metrics
3.去掉配置后,prom不能自動發(fā)現(xiàn)kube-proxy暴露的指標地址
所以通過node-exporter的textfile收集器來采集kube-proxy相關指標
yaml如下:
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
k8s-app: node-exporter
name: xdd-node-exporter-daemonset
namespace: kube-system
spec:
selector:
matchLabels:
k8s-app: node-exporter
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 25%
template:
metadata:
labels:
k8s-app: node-exporter
spec:
containers:
- args:
- --path.procfs=/host/proc
- --path.sysfs=/host/sys
- --path.rootfs=/host/root
- --web.config=/etc/config/config.yaml
- --no-collector.nvme
- --collector.filesystem.ignored-mount-points=^/(sys|proc|dev|run|home|tmp)($|/)
- --collector.diskstats.ignored-devices=^(overlays|tmpfs|ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\d+n\d+p)\d+$
- --collector.systemd
- --collector.textfile.directory=/var/lib/node_exporter ##采集指定路徑下的指標文件
image: node_exporter:v1.2.0
imagePullPolicy: Always
name: node-exporter
ports:
- containerPort: 9100
hostPort: 9100
name: http
protocol: TCP
volumeMounts:
- mountPath: /host/proc
name: proc
readOnly: true
- mountPath: /host/sys
name: sys
readOnly: true
- mountPath: /host/root
mountPropagation: HostToContainer
name: root
readOnly: true
- mountPath: /var/lib/node_exporter
name: node-exporter-prom
- mountPath: /etc/config/
name: xdd-node-exporter-config
readOnly: true
- command:
- /bin/sh
- -c
- sh /etc/config/cron-job.sh #執(zhí)行定時腳本,采集kube-proxy指標
image: monitor_node_exporter:v1.2.0
imagePullPolicy: Always
name: node-exporter-cron-job
volumeMounts:
- mountPath: /var/lib/node_exporter
name: node-exporter-prom
- mountPath: /etc/config/
name: xdd-node-exporter-cron-job-config
readOnly: true
securityContext:
runAsUser: 0
hostPID: true
hostNetwork: true #必須使用hostNetwork,否則無法訪問主機網(wǎng)絡
volumes:
- hostPath:
path: /proc
name: proc
- hostPath:
path: /sys
name: sys
- hostPath:
path: /
name: root
- hostPath:
path: /var/lib/node_exporter
type: DirectoryOrCreate
name: node-exporter-prom
- configMap:
defaultMode: 420
name: xdd-node-exporter-config
name: xdd-node-exporter-config
- configMap:
defaultMode: 420
name: xdd-node-exporter-cron-job-config
name: xdd-node-exporter-cron-job-config
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: node-exporter
name: xdd-node-exporter-svc
namespace: kube-system
spec:
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: http
port: 9100
protocol: TCP
selector:
k8s-app: node-exporter
type: ClusterIP
---
apiVersion: v1
data:
config.yaml: |- #node-exporter配置密碼
basic_auth_users:
node-exporter: xxxxxxxxxxxxxxxxx
kind: ConfigMap
metadata:
name: xdd-node-exporter-config
namespace: kube-system
---
apiVersion: v1
data:
cron-job.sh: |- #拉取kube-proxy指標的腳本
#!/bin/sh
while true; do
echo "Running task at $(date)"
# 執(zhí)行你的任務命令
curl -s localhost:10249/metrics > /var/lib/node_exporter/kube-proxy.prom
sleep 10 # 每10秒執(zhí)行一次
done
kind: ConfigMap
metadata:
name: xdd-node-exporter-cron-job-config
namespace: kube-system
4.去prometheus頁面查詢kubeproxy開頭的指標,查到即成功。注意job會變成node-exporter的job
浙公網(wǎng)安備 33010602011771號