feat(shield): drop nodes/proxy from host-shield ClusterRole, gate kubelet log access on Live Logs#2608
Draft
francesco-furlan wants to merge 2 commits intomainfrom
Draft
feat(shield): drop nodes/proxy from host-shield ClusterRole, gate kubelet log access on Live Logs#2608francesco-furlan wants to merge 2 commits intomainfrom
francesco-furlan wants to merge 2 commits intomainfrom
Conversation
…elet log access on Live Logs Removes the unconditional `nodes/proxy` grant from the host-shield ClusterRole (flagged as a Remote Code Execution vector by security scans) and replaces it with a feature-gated, version-aware kubelet-log subresource grant. Behaviour: - live_logs disabled (default): no kubelet-log RBAC rule. Default deploys now satisfy `kubectl auth can-i get nodes/proxy --as=...:host` ⇒ no. - live_logs enabled, K8s >= 1.36: grants the narrow `nodes/log` subresource (KEP-2862, stable in Kubernetes 1.36). - live_logs enabled, K8s < 1.36: grants `nodes/proxy` as a legacy fallback. - New `host.rbac.kubelet_authorization_mode` value (`auto` | `fine_grained` | `legacy`) overrides the version auto-detection.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it
Removes the unconditional
nodes/proxygrant from the host-shield ClusterRole — it's been flagged as a Remote Code Execution vector by security scans because it proxies arbitrary requests to the kubelet API. The grant is replaced with a feature-gated, version-aware kubelet-log subresource that fires only when Live Logs is on.Behaviour matrix
features.investigations.live_logs.enabledfalse(default)truenodes/log(KEP-2862, stable in 1.36)nodes/proxy(legacy fallback)A new
host.rbac.kubelet_authorization_modevalue (auto|fine_grained|legacy, defaultauto) overrides the version auto-detection — useful for off-cluster rendering (ArgoCD server-side) or clusters that misreport their version.After this PR, the default deploy satisfies:
Files
templates/host/clusterrole.yaml— drop unconditionalnodes/proxy; append a conditional rule using new helpers.templates/host/_helpers.tpl—host.kubelet_log_access.{enabled,is_fine_grained_capable,subresource}.values.yaml—host.rbac.kubelet_authorization_mode: auto(with inline docs).tests/host/clusterrole_test.yaml— new helm-unittest suite, 8 cases covering default, version auto-detect, both override modes, live_logs off, andhost.rbac.create: false.Chart.yaml— bump1.37.1→1.38.0.Test plan
helm unittest -f 'tests/**/*_test.yaml' .— 31/31 suites, 483/483 tests pass (8 new).helm template . --kube-version 1.36.0(defaults) → host ClusterRole has nonodes/proxyand nonodes/log.helm template . --kube-version 1.36.0 --set features.investigations.live_logs.enabled=true→ grantsnodes/log, nonodes/proxy.helm template . --kube-version 1.35.0 --set features.investigations.live_logs.enabled=true→ grantsnodes/proxy(legacy fallback).helm lint .clean.kubectl auth can-i get nodes/proxy --as=...:host⇒no; tail host-shield logs for forbidden errors.live_logs.enabled=trueand verify Live Logs functions end-to-end.Checklist
feat(shield):)values.yamlfor the newhost.rbac.kubelet_authorization_modekey)_testsuffix