Loading...

Type: Epic
Resolution: Done
Priority: High
Fix Version/s: Casablanca Release
Affects Version/s: None
Labels:
- CLM
- CVE
- OOM
- RBAC
- Security

Epic Name:
Security Lockdown of OOM Kubernetes

Purpose: list only the ports we need to bring up ONAP on Kubernetes and not expose the cluster to vulnerabilities

First defence is a curated incoming/outgoing network security group - see example in ~~OOM-710~~

There is an issue with certain ports providing API access in Kubernetes up to 1.9 (regardless of authentication lockdown) - we need to work around it until we upgrade to 1.10
https://ip:10250/pods - lists everything

Start with the following back door into kubernetes.
We need to not use a 0.0.0.0/0 cidr for incoming/outgoing network security groups.
use the curated list under
https://wiki.onap.org/display/DW/ONAP+Deployment+Specification+for+Finance+and+Operations#ONAPDeploymentSpecificationforFinanceandOperations-ONAPPortProfile

Still this leaves 8880 vulnerable
https://medium.com/handy-tech/analysis-of-a-kubernetes-hack-backdooring-through-kubelet-823be5c3d67c

ssh:22 access is not the issue -it is protected by a certificate

Shutting down the processes is a temporary fix - see screencap
fix
https://github.com/kubernetes/kubernetes/pull/59666

   PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                                                 
 52144 root      20   0 2071408  53904   1868 S 345.1  0.0   3259:21 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                      
116483 root      20   0 2137088  54012   1948 S 295.6  0.0   3322:29 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                      
 89198 root      20   0 2137088  54020   1972 S 235.4  0.0   3740:56 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                      
 98302 root      20   0 2071392  54492   1608 S 215.0  0.0   3726:18 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                      
 14793 root      20   0 2136944  54212   1860 S 210.6  0.0   3364:40 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                      
 43524 root      20   0 2137076  55952   1836 S 202.7  0.0   2841:34 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                      
118090 1001      20   0 2137088  54216   1956 S 185.8  0.0   3087:17 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                      
 70955 ubuntu    20   0 2071528  53908   1692 S 184.1  0.0   3322:54 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                      
 65445 root      20   0 2136944  54256   1888 S 152.2  0.0   3512:16 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                      
129922 root      20   0 2071540  53836   1792 S 136.3  0.0   3028:14 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                      
 23308 ubuntu    20   0 2071552  54100   1968 S 135.4  0.0   3013:55 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                      
107922 ubuntu    20   0 2071528  54124   1736 S 122.1  0.0   3517:29 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                      
126803 ubuntu    20   0 2071528  54308   1688 S 104.4  0.0   3463:55 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                      
107640 root      20   0 2137080  53920   1904 S 102.7  0.0   3743:06 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                      
 79645 ubuntu    20   0 2137064  54032   1980 S  97.3  0.0   3290:51 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                      
 15970 root      20   0 4781880 559560  51692 S  96.5  0.4   1864:06 kubelet --kubeconfig=/etc/kubernetes/ssl/kubeconfig --allow-privileged=true --regis

on some servers you kill everything - it will be back
ubuntu@cd-r:~$ sudo ps -ef | grep stratum
root      51234   6720 99 04:36 ?        00:05:45 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B

another machine
16782 root      20   0  468332   9548   1168 S  59.6  0.1   3364:20 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                       
15924 ubuntu    20   0  392688   7824   1444 S  51.0  0.0   9151:18 /tmp/udevs -o stratum+tcp://pool.supportxmr.com:3333 -u 45RxEpN2gmd4tnDx3c6EEb7o6Lb46FSvmgiS68ELp1pnCU81+
17514 root      20   0  468332   9668   1288 S  46.7  0.1   1984:54 /tmp/udevs -o stratum+tcp://pool.zer0day.ru:8080 -u NewWorld -p NewWorld --safe -B                       
16229 root      20   0  392552   5396   1360 S  27.8  0.0   7755:07 /tmp/udevs -o stratum+tcp://pool.supportxmr.com:3333 -u 45RxEpN2gmd4tnDx3c6EEb7o6Lb46FSvmgiS68ELp1pnCU81+
11735 root      20   0 2073452 155044  54128 S   4.6  1.0   3063:36 kubelet --kubeconfig=/etc/kubernetes/ssl/kubeconfig --api_servers=https://kubernetes.kubernetes.rancher.+