How to disable rpcbind on LKE nodes
I received a ticket regarding a security vulnerability notification regarding the Portmapper service:
the Portmapper service (portmap, rpcbind) is required for mapping RPC requests to a network service. The Portmapper service is needed e.g. for mounting network shares using the Network File System (NFS). The Portmapper service runs on port 111 tcp/udp.
How should I proceed with this? This is a Kubernetes node and I cannot log in to it directly to enable a firewall and block traffic on UDP/111.
If I change the node password, I have to rebuild it, so it won't rejoin the cluster and my SSH key doesn't seem to have been copied to the machine, as it is still asking for a password, which I didn't set during node creation, as it was automated by Kubernetes.
Linode doesn't require you to do anything regarding this notices. They are simply sent as a courtesy.
With that said, if you would like to log in to the node, you should be able to do so without rebuilding it. I just tested this out on one of my nodes in a cluster and after resetting the root password,
kubectl get nodes showed it was available as part of the cluster, shortly after booting it back up.
Someone on our LKE team wrote up the following Community post regarding securing your LKE cluster, which may help:
Additionally, we've brought this up to our LKE team in the past (specifically regarding this potentially security issue with rpcbind) and they mentioned the following.
rpcbind is required for an NFS server, to allow other RPC services to discover the port that nfsd is listening on. We recently added the
nfs-common package to all LKE nodes, per customer request for NFS volume support. rpcbind is a direct dependency of the
nfs-common package, however it is not needed for NFS clients using nfsv4 (below v4 it is required for file locking).
Since it does have potential for abuse, our team will look into securing this, though we don't have an ETA for when it will be addressed. It's also worth noting that default Debian installations includes nfs-common, and thus rpcbind.
If you are not interested in using NFS volumes, you can disable the rpcbind service on your LKE nodes by resetting the root password and shelling in, and running these commands:
systemctl stop rpcbind.service systemctl disable rpcbind.service
The above method requires that you SSH into each node in your cluster to disable rpcbind individually. This also means that if nodes are recycled, new nodes will still have rpcbind enabled and you will have to manually disable it for each node again.
An easier way of disabling rpcbind so that it will not be enabled for new nodes is to implement the following daemonset:
apiVersion: apps/v1 kind: DaemonSet metadata: name: disable-rpcbindsocket namespace: kube-system spec: selector: matchLabels: run: disable-rpcbindsocket template: metadata: labels: run: disable-rpcbindsocket spec: # needs hostPID to use systemctl hostPID: true # tolerate everyting tolerations: - operator: Exists containers: - name: startup-script image: gcr.io/google-containers/startup-script:v1 securityContext: privileged: true env: - name: STARTUP_SCRIPT value: | #!/bin/bash set -o errexit set -o xtrace if systemctl is-active rpcbind.socket; then systemctl stop rpcbind.socket fi if systemctl is-enabled rpcbind.socket; then systemctl disable rpcbind.socket fi
This will ensure that rpcbind will be enabled for all nodes, including new nodes after a recycle.