Kubernetes kube-proxy未授权访问漏洞
1.当kube-proxy使用以下配置时,会被扫出未授权访问漏洞
--metrics-bind-address=10.10.10.10:10249
2.为了避免这个漏洞,就把这个配置去掉了,但是kube-proxy还是默认打开这个端口的
通过以下地址仍然可以访问,不过安全性稍微提高了一点,只能本机访问
curl localhost:10249/metrics curl 127.0.0.1:10249/metrics
3.去掉配置后,prom不能自动发现kube-proxy暴露的指标地址
所以通过node-exporter的textfile收集器来采集kube-proxy相关指标
yaml如下:
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
k8s-app: node-exporter
name: xdd-node-exporter-daemonset
namespace: kube-system
spec:
selector:
matchLabels:
k8s-app: node-exporter
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 25%
template:
metadata:
labels:
k8s-app: node-exporter
spec:
containers:
- args:
- --path.procfs=/host/proc
- --path.sysfs=/host/sys
- --path.rootfs=/host/root
- --web.config=/etc/config/config.yaml
- --no-collector.nvme
- --collector.filesystem.ignored-mount-points=^/(sys|proc|dev|run|home|tmp)($|/)
- --collector.diskstats.ignored-devices=^(overlays|tmpfs|ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\d+n\d+p)\d+$
- --collector.systemd
- --collector.textfile.directory=/var/lib/node_exporter ##采集指定路径下的指标文件
image: node_exporter:v1.2.0
imagePullPolicy: Always
name: node-exporter
ports:
- containerPort: 9100
hostPort: 9100
name: http
protocol: TCP
volumeMounts:
- mountPath: /host/proc
name: proc
readOnly: true
- mountPath: /host/sys
name: sys
readOnly: true
- mountPath: /host/root
mountPropagation: HostToContainer
name: root
readOnly: true
- mountPath: /var/lib/node_exporter
name: node-exporter-prom
- mountPath: /etc/config/
name: xdd-node-exporter-config
readOnly: true
- command:
- /bin/sh
- -c
- sh /etc/config/cron-job.sh #执行定时脚本,采集kube-proxy指标
image: monitor_node_exporter:v1.2.0
imagePullPolicy: Always
name: node-exporter-cron-job
volumeMounts:
- mountPath: /var/lib/node_exporter
name: node-exporter-prom
- mountPath: /etc/config/
name: xdd-node-exporter-cron-job-config
readOnly: true
securityContext:
runAsUser: 0
hostPID: true
hostNetwork: true #必须使用hostNetwork,否则无法访问主机网络
volumes:
- hostPath:
path: /proc
name: proc
- hostPath:
path: /sys
name: sys
- hostPath:
path: /
name: root
- hostPath:
path: /var/lib/node_exporter
type: DirectoryOrCreate
name: node-exporter-prom
- configMap:
defaultMode: 420
name: xdd-node-exporter-config
name: xdd-node-exporter-config
- configMap:
defaultMode: 420
name: xdd-node-exporter-cron-job-config
name: xdd-node-exporter-cron-job-config
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: node-exporter
name: xdd-node-exporter-svc
namespace: kube-system
spec:
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: http
port: 9100
protocol: TCP
selector:
k8s-app: node-exporter
type: ClusterIP
---
apiVersion: v1
data:
config.yaml: |- #node-exporter配置密码
basic_auth_users:
node-exporter: xxxxxxxxxxxxxxxxx
kind: ConfigMap
metadata:
name: xdd-node-exporter-config
namespace: kube-system
---
apiVersion: v1
data:
cron-job.sh: |- #拉取kube-proxy指标的脚本
#!/bin/sh
while true; do
echo "Running task at $(date)"
# 执行你的任务命令
curl -s localhost:10249/metrics > /var/lib/node_exporter/kube-proxy.prom
sleep 10 # 每10秒执行一次
done
kind: ConfigMap
metadata:
name: xdd-node-exporter-cron-job-config
namespace: kube-system
4.去prometheus页面查询kubeproxy开头的指标,查到即成功。注意job会变成node-exporter的job
浙公网安备 33010602011771号