Hi! I recently read this blogpost:
It seems like a malicious user with direct access to a prometheus server who can get access to the automounted ServiceAccount token would be able to send the following to the Kubelet API:
websocat --insecure
–header “Authorization: Bearer $TOKEN”
–protocol v4.channel.k8s.io
“wss://$NODE_IP:10250/exec/default/nginx/nginx?output=1&error=1&command=id”
uid=0(root) gid=0(root) groups=0(root)
From my understanding, it doesn’t seem like this is really an “issue” coming from prometheus; Rather, it’s because of a missing feature: “The Kubelet API authorization uses a coarse authorization scheme, where actions like reading health status and the ability to exec into a pod require the same RBAC permissions.” according to KEP-2862
I am very new to prometheus so I am not extremely familiar with the inner workings; however, I didn’t find any discussions about this and thought I’d start one. What would be the recommended way for users that can’t use KEP-2862 because they’re using an older version of Kubernetes to harden their set-up? Apply a network security policy to prevent reaching port 10250 or are there other approaches one can take for defense-in-depth? Would that network security policy risk breaking anything?
Thanks in advance!