Jun
06

Kubernetes Tips #1: security authn/authz for etcd

According to the CIS `–kubelet-client-certificate` and `–kubelet-client-key` arguments: “By default, certificate-based kublet authentication is not set.” The requests from the apiserver are treated anonymously.

Without those, the API server makes anonymous requests to the kubelet to do things like pod exec and logs requests. If that works, that means the kubelet has not enabled any authn/authz protections and anyone with network visibility to it can make those same exec/logs requests against it.

The above flags you want those on the API server, you also really want `–anonymous-auth=false` and `–authorization-mode=Webhook` on the Kubelet to enable authn/authz.

Thanks to Jordan Liggitt and Brad Geesaman

Speak Your Mind

*