Merge pull request #1805 from consideRatio/pr/disable-active-ip-block

Soft deprecate singleuser.cloudMetadata.enabled in favor of blockWithIptables
jupyterhub · Oct 5, 2020 · cda31cc · cda31cc
2 parents 0a8e9b4 + 9d0fddc
commit cda31cc
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 30 deletions.
diff --git a/doc/source/administrator/security.md b/doc/source/administrator/security.md
@@ -166,20 +166,6 @@ Read more about organizing cluster access using kubeconfig files in the
 [Kubernetes docs](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/).
 
 
-## Audit Cloud Metadata server access
-
-Most cloud providers have a static IP you can hit from any of the compute nodes, including the user pod, to get metadata about the cloud. This metadata can contain very sensitive info, and this metadata, in the wrong hands, can allow attackers to take full control of your cluster and cloud resources. It is **critical** to secure the metadata service. We block access to this IP by default (as of v0.6), so you are protected from this!
-
-The slides beginning at [_Slide 38_](https://schd.ws/hosted_files/kccncna17/d8/Hacking%20and%20Hardening%20Kubernetes%20By%20Example%20v2.pdf) provides more information on the dangers presented by this attack.
-
-If you need to enable access to the metadata server for some reason, you can do the following in config.yaml:
-
-```yaml
-singleuser:
-  cloudMetadata:
-    enabled: true
-```
-
 ## Delete the Kubernetes Dashboard
 
 The [Kubernetes Dashboard](https://github.com/kubernetes/dashboard) gets created by default in many installations. Although the Dashboard contains useful information, the Dashboard also poses a security risk. We **recommend** deleting it and not using it for the time being until the Dashboard becomes properly securable.
@@ -244,6 +230,45 @@ traditional computing environment), so be very careful.
 
 There's ongoing work on making this easier!
 
+## Audit Cloud Metadata server access
+
+Most cloud providers have a static IP that pods can reach to get metadata about
+the cloud. This metadata can contain very sensitive info and in the wrong hands
+allow attackers to take full control of your cluster and cloud resources. Due to
+this, it is **critical** to secure the metadata service from your user pods that
+could end up running malicious code without knowing it.
+
+The slides beginning at [_Slide
+38_](https://schd.ws/hosted_files/kccncna17/d8/Hacking%20and%20Hardening%20Kubernetes%20By%20Example%20v2.pdf)
+provides more information on the dangers presented by this attack.
+
+This Helm chart blocks access to this metadata in two ways by default, but you
+only need one.
+
+### Block metadata with a NetworkPolicy enforced by a NetworkPolicy controller
+
+If you have _NetworkPolicy controller_ such as Calico in the Kubernetes cluster,
+it will enforce the NetworkPolicy resource created by this chart
+(`singleuser.networkPolicy.*`) that blocks user access to the metadata server.
+We recommend relying on this approach if you you had a NetworkPolicy controller,
+and then you can disable the other option.
+
+### Block metadata with a privileged initContainer running `iptables`
+
+If you can't rely on the NetworkPolicy approach to block access to the metadata
+server, we suggest relying on this option. When
+`singleuser.cloudMetadata.blockWithIptables` is true as it is by default, an
+`initContainer` is added to the user pods. It will run with elevated privileges
+and use the `iptables` command line tool to block access to the metadata server.
+
+```yaml
+# default configuration
+singleuser:
+  cloudMetadata:
+    blockWithIptables: true
+    ip: 169.254.169.254
+```
+
 ## Kubernetes Network Policies
 
 **Important**: When using network policies, you should be aware

diff --git a/jupyterhub/files/hub/jupyterhub_config.py b/jupyterhub/files/hub/jupyterhub_config.py
@@ -435,7 +435,7 @@ def camelCaseify(s):
 
 cloud_metadata = get_config('singleuser.cloudMetadata', {})
 
-if not cloud_metadata.get('enabled', False):
+if cloud_metadata.get('block') == True or cloud_metadata.get('enabled') == False:
     # Use iptables to block access to cloud metadata by default
     network_tools_image_name = get_config('singleuser.networkTools.image.name')
     network_tools_image_tag = get_config('singleuser.networkTools.image.tag')

diff --git a/jupyterhub/templates/NOTES.txt b/jupyterhub/templates/NOTES.txt
@@ -19,6 +19,12 @@ Note that this is still an alpha release! If you have questions, feel free to
   2. Chat with us at https://gitter.im/jupyterhub/jupyterhub
   3. File issues at https://github.com/jupyterhub/zero-to-jupyterhub-k8s/issues
 
+{{- if hasKey .Values.singleuser.cloudMetadata "enabled" }}
+
+DEPRECATION: singleuser.cloudMetadata.enabled is deprecated, instead of singleuser.cloudMetadata.blockWithIptables
+
+{{- end }}
+
 {{- if .Values.hub.extraConfigMap }}
 
 DEPRECATION: hub.extraConfigMap is deprecated in jupyterhub chart 0.8.

diff --git a/jupyterhub/templates/image-puller/_daemonset-helper.yaml b/jupyterhub/templates/image-puller/_daemonset-helper.yaml
@@ -94,19 +94,6 @@ spec:
         {{- end }}
         {{- end }}
         {{- end }}
-        {{- if not .Values.singleuser.cloudMetadata.enabled }}
-        - name: image-pull-metadata-block
-          image: {{ .Values.singleuser.networkTools.image.name }}:{{ .Values.singleuser.networkTools.image.tag }}
-          {{- with .Values.singleuser.networkTools.image.pullPolicy }}
-          imagePullPolicy: {{ . }}
-          {{- end }}
-          command:
-            - /bin/sh
-            - -c
-            - echo "Pulling complete"
-          resources:
-            {{- .Values.prePuller.resources | toYaml | trimSuffix "\n" | nindent 12 }}
-        {{- end }}
         {{- range $k, $v := .Values.prePuller.extraImages }}
         - name: image-pull-{{ $k }}
           image: {{ $v.name }}:{{ $v.tag }}

diff --git a/jupyterhub/values.yaml b/jupyterhub/values.yaml
@@ -248,7 +248,9 @@ singleuser:
       name: jupyterhub/k8s-network-tools
       tag: 'set-by-chartpress'
   cloudMetadata:
-    enabled: false
+    # block set to true will append a privileged initContainer using the
+    # iptables to block the sensitive metadata server at the provided ip.
+    blockWithIptables: true
     ip: 169.254.169.254
   networkPolicy:
     enabled: true

diff --git a/tools/templates/lint-and-validate-values.yaml b/tools/templates/lint-and-validate-values.yaml
@@ -208,7 +208,7 @@ singleuser:
               values: [test]
           topologyKey: kubernetes.io/hostname
   cloudMetadata:
-    enabled: true
+    blockWithIptables: true
     ip: 169.254.169.254
   networkPolicy:
     enabled: true