Metrics Server using system:anonymous user
69 views
Skip to first unread message
Jaydeep Saini
Jan 11, 2023, 2:51:42 AM1/11/23
to kubernetes-sig-instrumentation
Hi Team,
We have metrics server installed in our eks cluster, we found a finding in gaurdduty that someone from USA with IP 162.142.125.213 has sucessfully taken anonymous access and making a GET/LIST call, upon checking audit logs we see its metric-server which is using system:anonymous user and trying to make the calls. I want to check why the metric server request is being routed via USA and how can we avoid this?
1673294541715,"{""kind"":""Event"",""apiVersion"":""audit.k8s.io/v1"",""level"":""RequestResponse"",""auditID"":""f9475c61-6b99-42f0-80b4-1548c13879dc"",""stage"":""ResponseComplete"",""requestURI"":""/apis/authorization.k8s.io/v1beta1/subjectaccessreviews"",""verb"":""create"",""user"":{""username"":""system:serviceaccount:kube-system:metrics-server"",""uid"":""4eeff75b-0520-11ea-919c-0ac5d848cd46"",""groups"":[""system:serviceaccounts"",""system:serviceaccounts:kube-system"",""system:authenticated""]},""sourceIPs"":[""10.4.0.84""],""userAgent"":""metrics-server/v0.0.0 (linux/amd64) kubernetes/$Format"",""objectRef"":{""resource"":""subjectaccessreviews"",""apiGroup"":""authorization.k8s.io"",""apiVersion"":""v1beta1""},""responseStatus"":{""metadata"":{},""code"":201},""requestObject"":{""kind"":""SubjectAccessReview"",""apiVersion"":""authorization.k8s.io/v1beta1"",""metadata"":{""creationTimestamp"":null},""spec"":{""nonResourceAttributes"":{""path"":""/healthz"",""verb"":""get""},""user"":""system:anonymous"",""group"":[""system:unauthenticated""]},""status"":{""allowed"":false}},""responseObject"":{""kind"":""SubjectAccessReview"",""apiVersion"":""authorization.k8s.io/v1beta1"",""metadata"":{""creationTimestamp"":null,""managedFields"":[{""manager"":""metrics-server"",""operation"":""Update"",""apiVersion"":""authorization.k8s.io/v1beta1"",""time"":""2023-01-09T20:02:20Z"",""fieldsType"":""FieldsV1"",""fieldsV1"":{""f:spec"":{""f:group"":{},""f:nonResourceAttributes"":{""."":{},""f:path"":{},""f:verb"":{}},""f:user"":{}}}}]},""spec"":{""nonResourceAttributes"":{""path"":""/healthz"",""verb"":""get""},""user"":""system:anonymous"",""group"":[""system:unauthenticated""]},""status"":{""allowed"":true,""reason"":""RBAC: allowed by ClusterRoleBinding \""system:public-info-viewer\"" of ClusterRole \""system:public-info-viewer\"" to Group \""system:unauthenticated\""""}},""requestReceivedTimestamp"":""2023-01-09T20:02:20.947801Z"",""stageTimestamp"":""2023-01-09T20:02:20.948934Z"",""annotations"":{""authentication.k8s.io/legacy-token"":""system:serviceaccount:kube-system:metrics-server"",""authorization.k8s.io/decision"":""allow"",""authorization.k8s.io/reason"":""RBAC: allowed by ClusterRoleBinding \""metrics-server:system:auth-delegator\"" of ClusterRole \""system:auth-delegator\"" to ServiceAccount \""metrics-server/kube-system\"""",""k8s.io/deprecated"":""true"",""k8s.io/removed-release"":""1.22""}}"
Thanks in advance
Regards
Jaydeep
We have metrics server installed in our eks cluster, we found a finding in gaurdduty that someone from USA with IP 162.142.125.213 has sucessfully taken anonymous access and making a GET/LIST call, upon checking audit logs we see its metric-server which is using system:anonymous user and trying to make the calls. I want to check why the metric server request is being routed via USA and how can we avoid this?
1673294541715,"{""kind"":""Event"",""apiVersion"":""audit.k8s.io/v1"",""level"":""RequestResponse"",""auditID"":""f9475c61-6b99-42f0-80b4-1548c13879dc"",""stage"":""ResponseComplete"",""requestURI"":""/apis/authorization.k8s.io/v1beta1/subjectaccessreviews"",""verb"":""create"",""user"":{""username"":""system:serviceaccount:kube-system:metrics-server"",""uid"":""4eeff75b-0520-11ea-919c-0ac5d848cd46"",""groups"":[""system:serviceaccounts"",""system:serviceaccounts:kube-system"",""system:authenticated""]},""sourceIPs"":[""10.4.0.84""],""userAgent"":""metrics-server/v0.0.0 (linux/amd64) kubernetes/$Format"",""objectRef"":{""resource"":""subjectaccessreviews"",""apiGroup"":""authorization.k8s.io"",""apiVersion"":""v1beta1""},""responseStatus"":{""metadata"":{},""code"":201},""requestObject"":{""kind"":""SubjectAccessReview"",""apiVersion"":""authorization.k8s.io/v1beta1"",""metadata"":{""creationTimestamp"":null},""spec"":{""nonResourceAttributes"":{""path"":""/healthz"",""verb"":""get""},""user"":""system:anonymous"",""group"":[""system:unauthenticated""]},""status"":{""allowed"":false}},""responseObject"":{""kind"":""SubjectAccessReview"",""apiVersion"":""authorization.k8s.io/v1beta1"",""metadata"":{""creationTimestamp"":null,""managedFields"":[{""manager"":""metrics-server"",""operation"":""Update"",""apiVersion"":""authorization.k8s.io/v1beta1"",""time"":""2023-01-09T20:02:20Z"",""fieldsType"":""FieldsV1"",""fieldsV1"":{""f:spec"":{""f:group"":{},""f:nonResourceAttributes"":{""."":{},""f:path"":{},""f:verb"":{}},""f:user"":{}}}}]},""spec"":{""nonResourceAttributes"":{""path"":""/healthz"",""verb"":""get""},""user"":""system:anonymous"",""group"":[""system:unauthenticated""]},""status"":{""allowed"":true,""reason"":""RBAC: allowed by ClusterRoleBinding \""system:public-info-viewer\"" of ClusterRole \""system:public-info-viewer\"" to Group \""system:unauthenticated\""""}},""requestReceivedTimestamp"":""2023-01-09T20:02:20.947801Z"",""stageTimestamp"":""2023-01-09T20:02:20.948934Z"",""annotations"":{""authentication.k8s.io/legacy-token"":""system:serviceaccount:kube-system:metrics-server"",""authorization.k8s.io/decision"":""allow"",""authorization.k8s.io/reason"":""RBAC: allowed by ClusterRoleBinding \""metrics-server:system:auth-delegator\"" of ClusterRole \""system:auth-delegator\"" to ServiceAccount \""metrics-server/kube-system\"""",""k8s.io/deprecated"":""true"",""k8s.io/removed-release"":""1.22""}}"
Thanks in advance
Regards
Jaydeep
Elana Hashman
Feb 2, 2023, 3:59:19 PM2/2/23
to kubernetes-sig-instrumentation
Hi Jay,
Please contact EKS support for assistance with your cluster. This is a community development mailing list.
You could also try posting on the Kubernetes community forums: https://discuss.kubernetes.io
- e
Reply all
Reply to author
Forward
0 new messages