Kubernetes 1.24: preventing unauthorized volume mode switching

author ： Raunak Pradip Shah (Mirantis)

Kubernetes v1.24 Introduced a new alpha Stage characteristics , It can prevent unauthorized users from modifying Kubernetes What's already in the cluster VolumeSnapshot[1] Created PersistentVolumeClaim[2] Volume mode for .

problem

Volume mode [3] Determines whether the volume is formatted as a file system or displayed as a raw block device .

Users can use self Kubernetes v1.20 Has been stable since VolumeSnapshot function , be based on Kubernetes Existing in the cluster VolumeSnapshot Create a PersistentVolumeClaim ( abbreviation PVC ).PVC The statute includes a dataSource Field , It can point to an existing VolumeSnapshot example . Look up Create a snapshot based on the volume PVC[4] Get more details .

When using the above functions , There is no logic to verify that the mode of the original volume where the snapshot is located matches the mode of the newly created volume .

This raises a security vulnerability , Allow malicious users to potentially exploit unknown vulnerabilities in the host operating system .

In order to improve efficiency , Many popular storage backup vendors switch volume mode during backup operations , This makes Kubernetes The operation cannot be completely blocked , And brings challenges in distinguishing trusted users from malicious users .

Prevent unauthorized users from switching volume mode

under these circumstances , An authorized user is one who has the right to VolumeSnapshotContents（ Cluster-level resources ） perform Update or Patch Users of the operation . Cluster administrators can only send messages to trusted users or applications （ Such as backup supplier ） Provide these permissions .

If in snapshot-controller、snapshot-validation-webhook and external-provisioner in Enable [5] With this alpha characteristic , Based on VolumeSnapshot establish PVC when , Unauthorized users will not be allowed to modify their volume mode .

To switch volume mode , Authorized users must do the following ：

Are you sure you want to use as a newly created in the given namespace PVC Of the data source VolumeSnapshot.

Be sure to bind to the above VolumeSnapshot Of VolumeSnapshotContent.

   kubectl get volumesnapshot -n <namespace>

1. to VolumeSnapshotContent add to snapshot.storage.kubernetes.io/allowVolumeModeChange[6] annotation .

This annotation can be added by software or manually by authorized users .VolumeSnapshotContent The annotation must be similar to the following listing fragment ：

   kind: VolumeSnapshotContent
   metadata:
     annotations:
       - snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"
   ...

Be careful ： For pre prepared VolumeSnapshotContents, You have to take extra steps to set up spec.sourceVolumeMode Field is Filesystem or Block, This depends on the mode of the volume where the snapshot is located .

Here is an example ：

   apiVersion: snapshot.storage.k8s.io/v1
   kind: VolumeSnapshotContent
   metadata:
     annotations:
     - snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"
     name: new-snapshot-content-test
   spec:
     deletionPolicy: Delete
     driver: hostpath.csi.k8s.io
     source:
       snapshotHandle: 7bdd0de3-aaeb-11e8-9aae-0242ac110002
     sourceVolumeMode: Filesystem
     volumeSnapshotRef:
       name: new-snapshot-test
       namespace: default

For all systems that need to switch volume mode during a backup or restore operation VolumeSnapshotContents, Repeat step 1 To 3.

If VolumeSnapshotContent The above steps exist on the object 4 Comments shown in ,Kubernetes Conversion to volume mode will not be prevented . The user is trying to add annotations to any VolumeSnapshotContent Before , This should be kept in mind .

Next

Enable this feature [7] And let us know what you think !

We hope that this feature will not interrupt the existing workflow , At the same time, prevent malicious users from exploiting security vulnerabilities in the cluster .

If there are any questions , Please be there. #sig-storage slack Create a session in the channel , Or in the CSI External snapshot storage Warehouse [8] Report one in issue.

Reference material

[1]

VolumeSnapshot: /zh/docs/concepts/storage/volume-snapshots/

[2]

PersistentVolumeClaim: /zh/docs/concepts/storage/persistent-volumes/

[3]

Volume mode : /zh/docs/concepts/storage/persistent-volumes/#volume-mode

[4]

Create a snapshot based on the volume PVC: /zh/docs/concepts/storage/persistent-volumes/#create-persistent-volume-claim-from-volume-snapshot

[5]

Enable : https://kubernetes-csi.github.io/docs/

[6]

snapshot.storage.kubernetes.io/allowVolumeModeChange: /zh/docs/reference/labels-annotations-taints/#snapshot-storage-kubernetes-io-allowvolumemodechange

[7]

Enable this feature : https://kubernetes-csi.github.io/docs/

[8]

Warehouse : https://github.com/kubernetes-csi/external-snapshotter

CNCF (Cloud Native Computing Foundation) Founded on 2015 year 12 month , Affiliated to the Linux Foundation, It's a non-profit organization .

CNCF（ Cloud native Computing Foundation ） Committed to fostering and maintaining a vendor neutral open source ecosystem , To promote cloud native technology . By democratizing the most cutting-edge model , Let these innovations be used by the public .