52 lines
1.5 KiB
Markdown
52 lines
1.5 KiB
Markdown
|
# Secuirty Hardning of Kubernetes API Server
|
||
|
|
|
||
|
|
After cluster installed through KubeSpray, the `kube-apiserver` allows anonymous access of APIs, that is insecure when Kubernetes API Server secured ports are public.
|
||
|
|
|
||
|
|
So we need to manually sets the `--anonymous-auth=false` flags in Kubernetes API Server manifests (`/etc/kubernetes/manifests/kube-apiserver.yaml`).
|
||
|
|
|
||
|
|
We need create service account to make probes work when we disable anonymous auth.
|
||
|
|
|
||
|
|
## How to patch it ?
|
||
|
|
|
||
|
|
First we need apply [`probe-sa.yaml`](./probe-sa.yaml) to cluster to create service account and secrets for `kube-apiserver`'s probes.
|
||
|
|
|
||
|
|
```bash
|
||
|
|
kubectl apply -f probe-sa.yaml
|
||
|
|
```
|
||
|
|
|
||
|
|
Now we can get created token from secret `kube-api-server-probe-sa-token`.
|
||
|
|
|
||
|
|
```bash
|
||
|
|
kubectl get secret kube-api-server-probe-sa-token -o jsonpath='{.data.token}' -n kube-system | base64 --decode
|
||
|
|
```
|
||
|
|
|
||
|
|
You need copy token and add this snippet into `kube-apiserver.yaml` on each master node.
|
||
|
|
|
||
|
|
```yaml
|
||
|
|
readinessProbe:
|
||
|
|
...
|
||
|
|
httpGet:
|
||
|
|
...
|
||
|
|
httpHeaders:
|
||
|
|
- name: Authorization
|
||
|
|
value: Bearer <TOKEN>
|
||
|
|
lievenessProbe:
|
||
|
|
...
|
||
|
|
httpGet:
|
||
|
|
...
|
||
|
|
httpHeaders:
|
||
|
|
- name: Authorization
|
||
|
|
value: Bearer <TOKEN>
|
||
|
|
startupProbe:
|
||
|
|
...
|
||
|
|
httpGet:
|
||
|
|
...
|
||
|
|
httpHeaders:
|
||
|
|
- name: Authorization
|
||
|
|
value: Bearer <TOKEN>
|
||
|
|
```
|
||
|
|
|
||
|
|
After you have made the modifications and saved the file, the kubelet will automatically create a new kube-apiserver pod.
|
||
|
|
|
||
|
|
You can determine if the configuration is correct by checking the ready status (`1/1`) of the pod.
|