How to mitigate the impact of a compromised cluster node ?

[hakim]

Hi,

In a cluster, every nodes can access each other with root privileges. Therefore, if one node get compromised all other are also compromised.

Is there a way to mitigate the impact of a compromised cluster node on the other nodes ?
A way to maybe only give an elevation of privilege to the process(es) involved in the cluster management ?

Thanks,
Hakim

 

[LnxBil]

Very good question Hakim, but this currently not possible. The authorized_keys of the cluster is inside the replicated /etc/pve and if you have access to one node, you can just change the authorized_keys on one node to get access to all other nodes.

root@proxmox /etc/pve > ls -l /root/.ssh/authorized_keys
lrwxrwxrwx 1 root root 29 Feb 26  2017 /root/.ssh/authorized_keys -> /etc/pve/priv/authorized_keys

 

[fabian]

even when we eliminate the root SSH access and move more code to non-privileged users (which is on our road map, but is far from trivial), there will always be stuff that needs to run privileged, and the nodes will always need to trust each other, so once you are root on one node (and thus have access to the cluster-wide corosync authentication keys, or the cluster-wide API ticket keys) you will pretty much always be able to be root on the other nodes as well.