漏洞修复:tos的 节点ip:10255/metrics页面信息泄露

  其他常见问题
内容纲要

概要描述

节点IP:10255/metrics页面信息泄露漏洞
file

修复方法:将read-only-port参数的值改为0。

本篇文章针对tos 1.9.x和tos 2.1.0版本。其他版本有待更新

tos版本获取:
在集群中任意节点执行:

kubectl version

即可获取对应版本, 例如下面是1.9版本的:

[root@jiujiu-tdh-70 ~]# kubectl  version
Client Version: version.Info{Major:"1", Minor:"9+", GitVersion:"v1.9.3-tos-20190624-3-g69dd589adab751", GitCommit:"69dd589adab75123777f34e9239736bc2db79dc9", GitTreeState:"clean", BuildDate:"2019-07-12T04:05:51Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"9+", GitVersion:"v1.9.4-tos-20190909-16-g1d9a948d5ebef1", GitCommit:"1d9a948d5ebef123df81e297cc7ddf72a7aad9df", GitTreeState:"clean", BuildDate:"2020-04-24T13:47:20Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}

详细说明

以下步骤在每个节点,使用 root用户 执行

  1. 在节点上执行

    systemctl status kubelet

    查看kubelet的启动文件在哪里,可见如下输出,kubelet的启动文件路径为/usr/lib/systemd/system/kubelet.service

    [root@jiujiu-tdh-70 ~]# systemctl status kubelet
● kubelet.service - Kubernetes Kubelet
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
Active: active (running) since 五 2021-07-02 10:13:28 CST; 4 weeks 0 days ago
Main PID: 4380 (hyperkube)
CGroup: /system.slice/kubelet.service
       ‣ 4380 /opt/kubernetes/bin/hyperkube kubelet --logtostderr=true --v=6 --address=0.0.0.0 --cluster_dns=10.10.10.10 --clust...
7月 30 20:29:41 jiujiu-tdh-70 hyperkube[4380]: I0730 20:29:41.791646    4380 prober.go:150] Exec-Probe Pod: &Pod{ObjectMeta:k...-guard
7月 30 20:29:41 jiujiu-tdh-70 hyperkube[4380]: I0730 20:29:41.883430    4380 exec.go:38] Exec probe response: "ok\nWarning: U...re.\n"
7月 30 20:29:41 jiujiu-tdh-70 hyperkube[4380]: I0730 20:29:41.883468    4380 prober.go:118] Readiness probe for "txsql-server...ceeded
7月 30 20:29:42 jiujiu-tdh-70 hyperkube[4380]: I0730 20:29:42.013975    4380 volume_manager.go:371] All volumes are attached ...4ca5)"
7月 30 20:29:42 jiujiu-tdh-70 hyperkube[4380]: I0730 20:29:42.014083    4380 kuberuntime_manager.go:447] Syncing Pod "txsql-s...rver-g
7月 30 20:29:42 jiujiu-tdh-70 hyperkube[4380]: I0730 20:29:42.015010    4380 kuberuntime_manager.go:576] computePodActions got {Kil...
7月 30 20:29:42 jiujiu-tdh-70 hyperkube[4380]: I0730 20:29:42.119157    4380 generic.go:183] GenericPLEG: Relisting
7月 30 20:29:42 jiujiu-tdh-70 hyperkube[4380]: I0730 20:29:42.205199    4380 kubelet.go:2401] Container runtime status: Runti...ssage:
7月 30 20:29:42 jiujiu-tdh-70 hyperkube[4380]: I0730 20:29:42.712089    4380 config.go:99] Looking for [api file], have seen ...pi:{}]
7月 30 20:29:42 jiujiu-tdh-70 hyperkube[4380]: I0730 20:29:42.712174    4380 kubelet.go:2222] SyncLoop (housekeeping)
Hint: Some lines were ellipsized, use -l to show in full.

  2. 执行vi命令编辑步骤一获取到的文件。

    vi /usr/lib/systemd/system/kubelet.service

  3. --read-only-port=0 这个参数加到启动参数的后面, 需要在前一个参数前,加一个 \ ,添加完以后 保存退出
    file

  4. 执行下面命令上载文件

    systemctl daemon-reload

  5. 重启kubelet

    systemctl restart kubelet

  6. 检查kubelet是否正常启动,如下为正常启动。

    [root@jiujiu-tdh-70 ~]# systemctl status kubelet
● kubelet.service - Kubernetes Kubelet
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
Active: active (running) since 五 2021-07-30 20:43:26 CST; 7s ago
Main PID: 20847 (hyperkube)
CGroup: /system.slice/kubelet.service
       ‣ 20847 /opt/kubernetes/bin/hyperkube kubelet --logtostderr=true --v=6 --address=0.0.0.0 --cluster_dns=10.10.10.10 --clus...
7月 30 20:43:28 jiujiu-tdh-70 hyperkube[20847]: I0730 20:43:28.569617   20847 container.go:448] Start housekeeping for contai...c7170"
7月 30 20:43:28 jiujiu-tdh-70 hyperkube[20847]: I0730 20:43:28.571055   20847 factory.go:114] Using factory "docker" for cont...e20e6"
7月 30 20:43:28 jiujiu-tdh-70 hyperkube[20847]: I0730 20:43:28.574871   20847 manager.go:997] Added container: "/kubepods/besteffor...
7月 30 20:43:28 jiujiu-tdh-70 hyperkube[20847]: I0730 20:43:28.575154   20847 handler.go:325] Added event &{/kubepods/besteff...nil>}}
7月 30 20:43:28 jiujiu-tdh-70 hyperkube[20847]: I0730 20:43:28.575229   20847 factory.go:118] Factory "docker" was unable to ...b4ca5"
7月 30 20:43:28 jiujiu-tdh-70 hyperkube[20847]: I0730 20:43:28.575250   20847 factory.go:107] Error trying to work out if we ...andler
7月 30 20:43:28 jiujiu-tdh-70 hyperkube[20847]: I0730 20:43:28.575261   20847 factory.go:118] Factory "systemd" was unable to...b4ca5"
7月 30 20:43:28 jiujiu-tdh-70 hyperkube[20847]: I0730 20:43:28.575273   20847 factory.go:114] Using factory "raw" for contain...b4ca5"
7月 30 20:43:28 jiujiu-tdh-70 hyperkube[20847]: I0730 20:43:28.575317   20847 container.go:448] Start housekeeping for contai...e20e6"
7月 30 20:43:28 jiujiu-tdh-70 hyperkube[20847]: I0730 20:43:28.575538   20847 manager.go:997] Added container: "/kubepods/bes...e: "")
Hint: Some lines were ellipsized, use -l to show in full.

  7. 验证页面是否禁用成功,如下为禁用成功。
    file

其他信息

如果有任何疑问, 请关注 “星环科技服务号”公众号, 获取技术支持。

这篇文章对您有帮助吗?

平均评分 0 / 5. 次数: 0

尚无评价,您可以第一个评哦!

非常抱歉,这篇文章对您没有帮助.

烦请您告诉我们您的建议与意见,以便我们改进,谢谢您。