Adding ssh keys to authorized_keys

​

Event Information

​

Meaning

• This event indicates that someone has added an SSH key to the authorized_keys file, potentially granting them access to the system.
• It is important to investigate this event promptly to ensure that only authorized users have access to the cluster.
• To further investigate, you can check the authorized_keys file in the user’s home directory using the following command: kubectl exec <pod_name> -- cat ~/.ssh/authorized_keys

​

Remediation

• Create a Kubernetes ConfigMap containing the authorized_keys data:

  kubectl create configmap ssh-keys --from-file=authorized_keys=authorized_keys_file
  

• Create a Kubernetes Pod manifest file to run a Python script using the Kubernetes API to add the SSH keys to authorized_keys:

  apiVersion: v1
  kind: Pod
  metadata:
    name: ssh-keys-remediation
  spec:
    containers:
    - name: ssh-keys-remediation
      image: python:3
      command: ["python"]
      args: ["add_ssh_keys.py"]
      volumeMounts:
      - name: ssh-keys-volume
        mountPath: /keys
    volumes:
    - name: ssh-keys-volume
      configMap:
        name: ssh-keys
  

• Create a Python script (add_ssh_keys.py) to read the authorized_keys from the ConfigMap and add them to the appropriate authorized_keys file:

  import os
  
  with open('/keys/authorized_keys', 'r') as f:
      authorized_keys = f.read()
  
  with open('/root/.ssh/authorized_keys', 'a') as f:
      f.write(authorized_keys)