Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Self Assessment: [STRIDE-DOS-2] Misuse of Infra Admin credentials to create unlimited number of clusters #6516

Closed
PushkarJ opened this issue May 13, 2022 · 8 comments
Closed

Security Self Assessment: [STRIDE-DOS-2] Misuse of Infra Admin credentials to create unlimited number of clusters #6516

PushkarJ opened this issue May 13, 2022 · 8 comments
Labels
area/security Issues or PRs related to security help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/security Categorizes an issue or PR as relevant to SIG Security.

Comments

@PushkarJ
Copy link
Member

User Story

As an operator, I would like to apply soft/hard limits on maximum number of clusters so that I don't end up exhausting available capacity
As an operator, I would like to apply rate limits on clusterctl and underlying APIs on concurrent and successive requests to create new clusters so that I don't end up creating large number of clusters in short period of time exhausting available capacity

Detailed Description

Snippet from Cluster API security self-assessment: kubernetes/sig-security#40

STRIDE-DOS-2 - Misuse of Infra Admin credentials to create unlimited number of clusters
Infra Admin credentials can be misused by someone who has access to it by accidentally or maliciously creating very large number of clusters to exhaust capacity or slow down the operations team or for financial damage caused due to surprise bills

STRIDE-DOS-2 Recommended Mitigations

  • Create safe defaults (soft and hard) for the maximum number of clusters that can be created using a management cluster
  • Apply rate limits on clusterctl and underlying APIs on concurrent and successive requests to create new clusters can be processed using the same Infra admin
  • Implement threshold based alerts when a particular soft limit is exceeded for number of clusters

Alerting can be done by end users once these limits are set

/kind feature
/sig security
/area security
@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. sig/security Categorizes an issue or PR as relevant to SIG Security. area/security Issues or PRs related to security labels May 13, 2022
@PushkarJ PushkarJ changed the title Security Self Assessment: [STRIDE-DOS-2] Misuse of cloud credentials to create unlimited number of clusters Security Self Assessment: [STRIDE-DOS-2] Misuse of Infra Admin credentials to create unlimited number of clusters May 13, 2022
@PushkarJ PushkarJ mentioned this issue May 13, 2022
Closed
@fabriziopandini
Copy link
Member

/milestone v1.2

@k8s-ci-robot k8s-ci-robot added this to the v1.2 milestone May 22, 2022
@fabriziopandini fabriziopandini added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Jul 29, 2022
@fabriziopandini fabriziopandini removed this from the v1.2 milestone Jul 29, 2022
@fabriziopandini fabriziopandini removed the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Jul 29, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 27, 2022
@fabriziopandini
Copy link
Member

/lifecycle frozen
/triage accepted
/help

Still a valid point to document some general best practices, but providing specific guidance for each cloud infrastructure should be addressed by cloud providers

I'm not sure that we can/we should apply rate limits on clusterctl and underlying APIs on concurrent and successive requests because technically complex; also it does not prevents to use of credentials in other ways so it doesn't solve the problem
IMO the only real solution to avoid this risk is to rely on infrastructure quota management

@k8s-ci-robot
Copy link
Contributor

@fabriziopandini:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

  • Why are we solving this issue?
  • To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
  • Does this issue have zero to low barrier of entry?
  • How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/lifecycle frozen
/triage accepted
/help

Still a valid point to document some general best practices, but providing specific guidance for each cloud infrastructure should be addressed by cloud providers

I'm not sure that we can/we should apply rate limits on clusterctl and underlying APIs on concurrent and successive requests because technically complex; also it does not prevents to use of credentials in other ways so it doesn't solve the problem
IMO the only real solution to avoid this risk is to rely on infrastructure quota management

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 2, 2022
@k8s-triage-robot
Copy link

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

  • Confirm that this issue is still relevant with /triage accepted (org members only)
  • Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. and removed triage/accepted Indicates an issue or PR is ready to be actively worked on. labels Jan 19, 2024
@fabriziopandini
Copy link
Member

/priority backlog

@k8s-ci-robot k8s-ci-robot added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Apr 12, 2024
@fabriziopandini fabriziopandini mentioned this issue Apr 22, 2024
Open
@fabriziopandini
Copy link
Member

I'm collapsing this issue into #6152 to see if we can make some progess
/close

@k8s-ci-robot
Copy link
Contributor

@fabriziopandini: Closing this issue.

In response to this:

I'm collapsing this issue into #6152 to see if we can make some progess
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security Issues or PRs related to security help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/security Categorizes an issue or PR as relevant to SIG Security.
Projects
No open projects
sig-security-tracker
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@PushkarJ @fabriziopandini @k8s-ci-robot @k8s-triage-robot