From c1967c7ab2943a31bec47c397c1e98d9e042d788 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=8C=AF=E5=AE=87?= <> Date: Tue, 14 Jan 2025 06:58:52 +0800 Subject: [PATCH] feat(k8s): add security hardening instructions for kube-apiserver and service account configuration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 孙振宇 <> --- .../ansible/patch/kube-apiserver/README.md | 51 +++++++++++++++++++ .../patch/kube-apiserver/probe-sa.yaml | 14 +++++ 2 files changed, 65 insertions(+) create mode 100644 cluster/ansible/patch/kube-apiserver/README.md create mode 100644 cluster/ansible/patch/kube-apiserver/probe-sa.yaml diff --git a/cluster/ansible/patch/kube-apiserver/README.md b/cluster/ansible/patch/kube-apiserver/README.md new file mode 100644 index 00000000..bb0115e3 --- /dev/null +++ b/cluster/ansible/patch/kube-apiserver/README.md @@ -0,0 +1,51 @@ +# Secuirty Hardning of Kubernetes API Server + +After cluster installed through KubeSpray, the `kube-apiserver` allows anonymous access of APIs, that is insecure when Kubernetes API Server secured ports are public. + +So we need to manually sets the `--anonymous-auth=false` flags in Kubernetes API Server manifests (`/etc/kubernetes/manifests/kube-apiserver.yaml`). + +We need create service account to make probes work when we disable anonymous auth. + +## How to patch it ? + +First we need apply [`probe-sa.yaml`](./probe-sa.yaml) to cluster to create service account and secrets for `kube-apiserver`'s probes. + +```bash +kubectl apply -f probe-sa.yaml +``` + +Now we can get created token from secret `kube-api-server-probe-sa-token`. + +```bash +kubectl get secret kube-api-server-probe-sa-token -o jsonpath='{.data.token}' -n kube-system | base64 --decode +``` + +You need copy token and add this snippet into `kube-apiserver.yaml` on each master node. + +```yaml +readinessProbe: +... + httpGet: + ... + httpHeaders: + - name: Authorization + value: Bearer +lievenessProbe: +... + httpGet: + ... + httpHeaders: + - name: Authorization + value: Bearer +startupProbe: +... + httpGet: + ... + httpHeaders: + - name: Authorization + value: Bearer +``` + +After you have made the modifications and saved the file, the kubelet will automatically create a new kube-apiserver pod. + +You can determine if the configuration is correct by checking the ready status (`1/1`) of the pod. diff --git a/cluster/ansible/patch/kube-apiserver/probe-sa.yaml b/cluster/ansible/patch/kube-apiserver/probe-sa.yaml new file mode 100644 index 00000000..ce17e61e --- /dev/null +++ b/cluster/ansible/patch/kube-apiserver/probe-sa.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-apiserver-probe-sa + namespace: kube-system +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: kube-api-server-probe-sa-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: "kube-apiserver-probe-sa" \ No newline at end of file