Dashboard: Skipping login allows user to have unrestricted access without authentication

Created on 27 Sep 2017  路  4Comments  路  Source: kubernetes/dashboard
Environment
Dashboard version: kubernetes-dashboard-amd64:v1.7.0
Kubernetes version: v1.7.6
Operating system: Debian8.9
Node.js version:
Go version:
Steps to reproduce
  1. Start kubernetes-dashboard cleanly using command:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
  1. change kubernetes-dashboard service to nodeport
# kubectl describe svc kubernetes-dashboard -n kube-system
Name:                   kubernetes-dashboard
Namespace:              kube-system
Labels:                 k8s-app=kubernetes-dashboard
Annotations:            kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":...
Selector:               k8s-app=kubernetes-dashboard
Type:                   NodePort
IP:                     10.30.0.239
Port:                   <unset> 443/TCP
NodePort:               <unset> 20001/TCP
Endpoints:              10.3.77.181:8443
Session Affinity:       None
Events:                 <none>
  1. access kubernetes-dashboard via nodeport, then click skip
Observed result

I can get unrestricted access to anything inside the kubernetes cluster

Expected result

If I read correctly, skipping login shouldn't give any access to any api object execpt https://github.com/kubernetes/dashboard/wiki/Access-control#default-dashboard-privileges

Comments

I just installed kubernetes dashboard v1.7.0 with access control, then access it via nodeport, I can get unrestricted access to anything inside the kubernetes cluster. Observing kube-audit.log gives me this.

2017-09-27T14:30:28.594596816+07:00 AUDIT: id="3d1f268b-0331-423a-bd46-62a2f94d2823" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="<none>" uri="/api"
2017-09-27T14:30:28.598581631+07:00 AUDIT: id="f54e73ea-76d5-4e92-a66b-4462a63e6220" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="<none>" uri="/apis"2017-09-27T14:30:28.719884758+07:00 AUDIT: id="ede6d8bb-3a3b-4338-9e17-bae8a8f9c282" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/secrets"
2017-09-27T14:30:28.720240649+07:00 AUDIT: id="82f13958-43d4-4808-8419-163f4d50c094" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/persistentvolumeclaims"
2017-09-27T14:30:28.720265386+07:00 AUDIT: id="d683391d-fc77-4371-b757-29b9e92d7889" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/configmaps"
2017-09-27T14:30:28.725318902+07:00 AUDIT: id="466b66e8-7eb0-43b6-98d8-a45e3162651b" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="default" uri="/apis/extensions/v1beta1/namespaces/default/ingresses"
2017-09-27T14:30:28.725588625+07:00 AUDIT: id="e7ee9a62-8e41-40ef-b3e9-8061c911a1ee" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/services"
2017-09-27T14:30:28.730646291+07:00 AUDIT: id="85ecae07-40dc-400e-a50d-c853e7661fea" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="default" uri="/apis/extensions/v1beta1/namespaces/default/daemonsets"
2017-09-27T14:30:28.731130221+07:00 AUDIT: id="2a8b60d6-e44a-4e3e-a94e-5a8432ec35ff" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/pods"
2017-09-27T14:30:28.731145503+07:00 AUDIT: id="6b8aff3b-5a68-4397-9c7e-1b6e7820585e" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/replicationcontrollers"
2017-09-27T14:30:28.73152758+07:00 AUDIT: id="de54620a-9dbe-4272-87be-3d0cd96b0579" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/services"
2017-09-27T14:30:28.731543457+07:00 AUDIT: id="c7ae98fc-e1a8-44cc-b425-f6b1b414ebf6" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/events"
2017-09-27T14:30:28.731602593+07:00 AUDIT: id="7c99d18d-4fab-43ad-b437-0477f9b34955" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="default" uri="/apis/extensions/v1beta1/namespaces/default/deployments"
2017-09-27T14:30:28.731634461+07:00 AUDIT: id="927f99a4-a101-447f-8bac-ba5e42625041" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="default" uri="/apis/batch/v1/namespaces/default/jobs"
2017-09-27T14:30:28.731918784+07:00 AUDIT: id="3a93324f-f89e-4d3f-b9fb-cffc39d09553" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="default" uri="/apis/extensions/v1beta1/namespaces/default/replicasets"
2017-09-27T14:30:28.73196526+07:00 AUDIT: id="237588b1-c7a5-4db3-8a6d-94644f26cbc3" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="default" uri="/apis/apps/v1beta1/namespaces/default/statefulsets"
2017-09-27T14:30:28.797483818+07:00 AUDIT: id="0a854c65-9847-4159-a75d-fdb9b1efaa1d" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="kube-system" uri="/api/v1/proxy/namespaces/kube-system/services/heapster/api/v1/model/namespaces/default/pod-list/hello-1506497400-nv522,hello-1506497340-j7503,hello-1506497280-7nkkv,hello-1506497220-sgd0m,hello-1506497160-w48gz,ubuntu-973471318-57643,echoserver-3919008145-ch7cx,nginx-0,echoserver-3919008145-clw2j,nginx-2,nginx-1/metrics/cpu/usage_rate"
2017-09-27T14:30:28.804386434+07:00 AUDIT: id="5c90b16f-7931-43c2-afdd-649296e664e7" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="kube-system" uri="/api/v1/proxy/namespaces/kube-system/services/heapster/api/v1/model/namespaces/default/pod-list/hello-1506497400-nv522,hello-1506497340-j7503,hello-1506497280-7nkkv,hello-1506497220-sgd0m,hello-1506497160-w48gz,ubuntu-973471318-57643,echoserver-3919008145-ch7cx,nginx-0,echoserver-3919008145-clw2j,nginx-2,nginx-1/metrics/memory/usage"
2017-09-27T14:30:28.810035882+07:00 AUDIT: id="bc0064d2-919f-4fb5-aa8d-c886ab372096" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="kube-system" uri="/api/v1/proxy/namespaces/kube-system/services/heapster/api/v1/model/namespaces/default/pod-list/hello-1506497400-nv522,hello-1506497340-j7503,hello-1506497280-7nkkv,hello-1506497220-sgd0m,hello-1506497160-w48gz,ubuntu-973471318-57643,echoserver-3919008145-ch7cx,nginx-0,echoserver-3919008145-clw2j,nginx-2,nginx-1/metrics/cpu/usage_rate"
2017-09-27T14:30:28.815935222+07:00 AUDIT: id="f4ec918a-82bb-46eb-b6da-4151ddef88ab" ip="10.3.77.181" method="GET" user="system:serviceaccount:kube-system:kubernetes-dashboard" groups="\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"" as="<self>" asgroups="<lookup>" namespace="kube-system" uri="/api/v1/proxy/namespaces/kube-system/services/heapster/api/v1/model/namespaces/default/pod-list/hello-1506497400-nv522,hello-1506497340-j7503,hello-1506497280-7nkkv,hello-1506497220-sgd0m,hello-1506497160-w48gz,ubuntu-973471318-57643,echoserver-3919008145-ch7cx,nginx-0,echoserver-3919008145-clw2j,nginx-2,nginx-1/metrics/memory/usage"

Am I missing something here?

picture lukmanulhakimd

Most helpful comment

That is not possible. Did you upgrade from 1.6.3? If so you need to remove cluster role binding for kubernetes-dashboard Service Account.

picture floreks on 27 Sep 2017
👍2

All 4 comments

That is not possible. Did you upgrade from 1.6.3? If so you need to remove cluster role binding for kubernetes-dashboard Service Account.

floreks picture floreks on 27 Sep 2017
👍2

I see, I actually installed the cluster cleanly, but I installed kubernetes-dashboard v1.6 before.
Removing clusterrolebinding for kubernetes-dashboard solves the issue. Thanks!

lukmanulhakimd picture lukmanulhakimd on 27 Sep 2017

Ideally this is noted in the wiki for users that upgrade from v1.6.x. We were looking for that for hours until we stumbled upon the leftover ClusterRolebinding.

alexanderteves picture alexanderteves on 27 Sep 2017

@alexanderteves I have added note in the beginning of Installation guide. https://github.com/kubernetes/dashboard/wiki/Installation

floreks picture floreks on 27 Sep 2017
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mhobotpplnet picture mhobotpplnet  路  3Comments
Eddman picture Eddman  路  4Comments
wu105 picture wu105  路  3Comments
kasunsjc picture kasunsjc  路  3Comments
minminmsn picture minminmsn  路  4Comments