aad-pod-identity icon indicating copy to clipboard operation
aad-pod-identity copied to clipboard

Published 20 hours ago verified publisher icon Azure

Should not bind ports that are left empty in values.yml

Open jnlycklama opened this issue 4 years ago • 2 comments

Describe the bug Ports left empty in values.yml are being bound during aad-pod-identity NMI creation (Prometheus port & nmi port 2579). Trying to create a duplicate resource in another namespace causes errors due to port conflict. I would expect that these ports to not get bound to since the templates will only specify a port if it is defined in values:

ex from nmi-daemonset.yaml:

          {{- if .Values.nmi.prometheusPort }}
          - --prometheus-port={{ .Values.nmi.prometheusPort }}
          {{- end }}

pod logs:

I0726 20:46:13.877545       1 main.go:86] starting nmi process. Version: v1.8.0. Build date: 2021-05-11-16:44.
I0726 20:46:14.164871       1 crd.go:448] CRD lite informers started
I0726 20:46:14.164940       1 main.go:113] running NMI in namespaced mode: false
I0726 20:46:14.164981       1 nmi.go:53] initializing in standard mode
I0726 20:46:14.164991       1 probes.go:41] initialized health probe on port 8085
I0726 20:46:14.165018       1 probes.go:44] started health probe
I0726 20:46:14.165235       1 metrics.go:341] registered views for metric
I0726 20:46:14.165424       1 prometheus_exporter.go:21] starting Prometheus exporter
I0726 20:46:14.165439       1 metrics.go:347] registered and exported metrics on port 9090
I0726 20:46:14.165619       1 server.go:102] listening on port 2579
F0726 20:46:14.166259       1 server.go:104] error creating http server: listen tcp 127.0.0.1:2579: bind: address already in use

NMI values in values.yml:

nmi:
  image: nmi
  tag: v1.8.0

  # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical
  priorityClassName: ""

  # log level. Uses V logs (klog)
  logVerbosity: 0
  loggingFormat: ""

  resources:
    limits:
      cpu: 200m
      memory: 512Mi
    requests:
      cpu: 100m
      memory: 256Mi

  podAnnotations: {}

  podLabels: {}

  ## Node labels for pod assignment
  ## aad-pod-identity is currently only supported on linux
  nodeSelector:
    kubernetes.io/os: linux

  tolerations: []
    # - key: "CriticalAddonsOnly"
    #   operator: "Exists"

  # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
  affinity: {}
    # nodeAffinity:
    #   preferredDuringSchedulingIgnoredDuringExecution:
    #     - weight 1
    #       preference:
    #         matchExpressions:
    #           - key: kubernetes.azure.com/mode
    #             operator: In
    #             values:
    #               - system

  # Override iptables update interval in seconds (default is 60)
  ipTableUpdateTimeIntervalInSeconds: ""

  # Override mic namespace to short circuit MIC token requests (default is default namespace)
  micNamespace: ""

  # Override http liveliness probe port (default is 8080)
  probePort: "8085"

  # Override number of retries in NMI to find assigned identity in CREATED state (default is 16)
  retryAttemptsForCreated: ""

  # Override number of retries in NMI to find assigned identity in ASSIGNED state (default is 4)
  retryAttemptsForAssigned: ""

  # Override retry interval to find assigned identities in seconds (default is 5)
  findIdentityRetryIntervalInSeconds: ""

  # Enable scale features - https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#enable-scale-features-flag
  # Accepted values are true/false. Default is false.
  enableScaleFeatures: ""

  # default value is 9090
  # prometheus port for metrics
  prometheusPort: ""

  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#block-instance-metadata-flag
  # default is false
  blockInstanceMetadata: ""

  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#metadata-header-required-flag
  # default is false
  metadataHeaderRequired: ""

  # enable running aad-pod-identity on clusters with kubenet
  # default is false
  allowNetworkPluginKubenet: false

  # Path to kubelet default config.
  # default is /etc/default/kubelet
  kubeletConfig: "/etc/default/kubelet"

Steps To Reproduce Create aad pod identity with nmi daemonset. Specify no values for prometheus or nmi port.

Expected behavior Unspecified ports are not bound to. They are not in use so they so they should not be open.

AAD Pod Identity version 1.8.0 (Helm chart 4.1.1)

Kubernetes version 1.19

jnlycklama avatar Jul 26 '21 21:07 jnlycklama

The only workaround right now is to change the prometheusPort to be something other than 9090. We can look into disabling Prometheus if prometheusPort is empty.

chewong avatar Jul 29 '21 16:07 chewong

Yeah that's what I am doing for workaround now ( & adding --nmi-port={{ .Values.nmi.port }} flag to the daemonset yaml to override 2579).

But the larger issue is that open ports can pose a security risk, and there is no way to disable them.

jnlycklama avatar Jul 29 '21 16:07 jnlycklama