How to disable rpcbind on LKE nodes
Linode
Linode Staff
I received a ticket regarding a security vulnerability notification regarding the Portmapper service:
the Portmapper service (portmap, rpcbind) is required for mapping RPC
requests to a network service. The Portmapper service is needed e.g.
for mounting network shares using the Network File System (NFS).
The Portmapper service runs on port 111 tcp/udp.
How should I proceed with this? This is a Kubernetes node and I cannot log in to it directly to enable a firewall and block traffic on UDP/111.
If I change the node password, I have to rebuild it, so it won't rejoin the cluster and my SSH key doesn't seem to have been copied to the machine, as it is still asking for a password, which I didn't set during node creation, as it was automated by Kubernetes.
2 Replies
jcardillo
Linode Staff
Linode doesn't require you to do anything regarding this notices. They are simply sent as a courtesy.
With that said, if you would like to log in to the node, you should be able to do so without rebuilding it. I just tested this out on one of my nodes in a cluster and after resetting the root password, kubectl get nodes showed it was available as part of the cluster, shortly after booting it back up.
Someone on our LKE team wrote up the following Community post regarding securing your LKE cluster, which may help:
https://www.linode.com/community/questions/19155/securing-k8s-cluster#answer-70974
Additionally, we've brought this up to our LKE team in the past (specifically regarding this potentially security issue with rpcbind) and they mentioned the following.
rpcbind is required for an NFS server, to allow other RPC services to discover the port that nfsd is listening on. We recently added the nfs-common package to all LKE nodes, per customer request for NFS volume support. rpcbind is a direct dependency of the nfs-common package, however it is not needed for NFS clients using nfsv4 (below v4 it is required for file locking).
Since it does have potential for abuse, our team will look into securing this, though we don't have an ETA for when it will be addressed. It's also worth noting that default Debian installations includes nfs-common, and thus rpcbind.
If you are not interested in using NFS volumes, you can disable the rpcbind service on your LKE nodes by resetting the root password and shelling in, and running these commands:
systemctl stop rpcbind.service
systemctl disable rpcbind.service
eclyne
Linode Staff
The above method requires that you SSH into each node in your cluster to disable rpcbind individually. This also means that if nodes are recycled, new nodes will still have rpcbind enabled and you will have to manually disable it for each node again.
An easier way of disabling rpcbind so that it will not be enabled for new nodes is to implement the following daemonset:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: disable-rpcbindsocket
namespace: kube-system
spec:
selector:
matchLabels:
run: disable-rpcbindsocket
template:
metadata:
labels:
run: disable-rpcbindsocket
spec:
# needs hostPID to use systemctl
hostPID: true
# tolerate everyting
tolerations:
- operator: Exists
containers:
- name: startup-script
image: gcr.io/google-containers/startup-script:v1
securityContext:
privileged: true
env:
- name: STARTUP_SCRIPT
value: |
#!/bin/bash
set -o errexit
set -o xtrace
if systemctl is-active rpcbind.socket; then
systemctl stop rpcbind.socket
fi
if systemctl is-enabled rpcbind.socket; then
systemctl disable rpcbind.socket
fi
This will ensure that rpcbind will be enabled for all nodes, including new nodes after a recycle.