[英]Is it safe to delete the cluster-admin ClusterRoleBinding on open-source Kubernetes v1.14?
I have a Kubernetes v1.14 on-prem cluster deployed using kubeadm and my kubernetes-admin user login has been compromised.我有一个使用 kubeadm 部署的 Kubernetes v1.14 本地集群,并且我的 kubernetes-admin 用户登录已被盗用。
I want to revoke its certificate but the Kubernetes API server does not have a mechanism to lookup a CRL file.我想撤销其证书,但 Kubernetes API 服务器没有查找 CRL 文件的机制。 I already created another admin user using a new ClusterRoleBinding.我已经使用新的 ClusterRoleBinding 创建了另一个管理员用户。 The only solution I see is to de-authorize the user by removing it's associated ClusterRoleBinding: cluster-admin.我看到的唯一解决方案是通过删除用户的关联 ClusterRoleBinding: cluster-admin 来取消对用户的授权。
However, this ClusterRoleBinding's Subject is the "system:masters" group.然而,这个 ClusterRoleBinding 的 Subject 是“system:masters”组。 Even though I couldn't find any other system user that belongs to the "system:masters" group I'm afraid it will break some things if I delete it.即使我找不到属于“system:masters”组的任何其他系统用户,但我担心如果我删除它会破坏一些东西。 I don't have any experience with this kind of situation.我对这种情况没有任何经验。
I googled a lot but I couldn't find relevant information on this topic for open-source Kubernetes.我用谷歌搜索了很多,但我找不到关于这个主题的开源 Kubernetes 的相关信息。
Is it safe to delete the "cluster-admin" ClusterRoleBinding?删除“cluster-admin”ClusterRoleBinding 是否安全?
% openssl x509 -noout -subject -in <(kubectl config view --raw -o jsonpath='{.users[?(@.name == "kubernetes-admin")].user.client-certificate-data}' | base64 -d)
subject= /O=system:masters/CN=kubernetes-admin
%
% kubectl describe clusterrolebindings.rbac.authorization.k8s.io cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters
%
It's not safe to delete because system:masters
is used as Subject
in the client certificate used by Kubernetes API Server to interact with ETCD and kubelet.删除是不安全的,因为system:masters
在 Kubernetes API Server 使用的客户端证书中用作Subject
与 ETCD 和 kubelet 交互。
To deal with the breach I would suggest below approach为了处理违规行为,我建议采用以下方法
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.