-
Notifications
You must be signed in to change notification settings - Fork 14.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protect the Kubelet API #208
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -79,7 +79,7 @@ ExecStart=/usr/local/bin/kube-apiserver \\ | |
--etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 \\ | ||
--event-ttl=1h \\ | ||
--experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\ | ||
--insecure-bind-address=0.0.0.0 \\ | ||
--insecure-bind-address=127.0.0.1 \\ | ||
--kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\ | ||
--kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \\ | ||
--kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\ | ||
|
@@ -118,7 +118,7 @@ ExecStart=/usr/local/bin/kube-controller-manager \\ | |
--cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\ | ||
--cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\ | ||
--leader-elect=true \\ | ||
--master=http://${INTERNAL_IP}:8080 \\ | ||
--master=http://127.0.0.1:8080 \\ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Modify to look locally instead of on the INTERNAL_IP. |
||
--root-ca-file=/var/lib/kubernetes/ca.pem \\ | ||
--service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \\ | ||
--service-cluster-ip-range=10.32.0.0/16 \\ | ||
|
@@ -144,7 +144,7 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes | |
[Service] | ||
ExecStart=/usr/local/bin/kube-scheduler \\ | ||
--leader-elect=true \\ | ||
--master=http://${INTERNAL_IP}:8080 \\ | ||
--master=http://127.0.0.1:8080 \\ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Modify to look locally instead of on the INTERNAL_IP. |
||
--v=2 | ||
Restart=on-failure | ||
RestartSec=5 | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -185,6 +185,8 @@ Requires=crio.service | |
|
||
[Service] | ||
ExecStart=/usr/local/bin/kubelet \\ | ||
--anonymous-auth=false \\ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do not automatically consider clients to the Kubelet as |
||
--authorization-mode=Webhook \\ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ask the API server via the SubjectAccessReview mechanism if the |
||
--allow-privileged=true \\ | ||
--cluster-dns=10.32.0.10 \\ | ||
--cluster-domain=cluster.local \\ | ||
|
@@ -199,6 +201,7 @@ ExecStart=/usr/local/bin/kubelet \\ | |
--register-node=true \\ | ||
--require-kubeconfig \\ | ||
--runtime-request-timeout=10m \\ | ||
--client-ca-file=/var/lib/kubernetes/ca.pem \\ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Give the kubelet the ability to validate certificates against the CA to know the |
||
--tls-cert-file=/var/lib/kubelet/${HOSTNAME}.pem \\ | ||
--tls-private-key-file=/var/lib/kubelet/${HOSTNAME}-key.pem \\ | ||
--v=2 | ||
|
@@ -258,15 +261,65 @@ sudo systemctl start crio kubelet kube-proxy | |
|
||
> Remember to run the above commands on each worker node: `worker-0`, `worker-1`, and `worker-2`. | ||
|
||
## Verification | ||
## Implement RBAC for Kubelet Authorization | ||
|
||
Login to one of the controller nodes: | ||
|
||
``` | ||
gcloud compute ssh controller-0 | ||
``` | ||
|
||
List the registered Kubernetes nodes: | ||
Define a ```clusterrole``` with the proper permissions for kubelet API access and a ```clusterrolebinding``` to allow the ```kubernetes``` user to use that ```clusterrole```. | ||
``` | ||
cat > kubelet-rbac.yaml << EOF | ||
--- | ||
apiVersion: v1 | ||
kind: List | ||
metadata: {} | ||
items: | ||
- apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
kind: ClusterRole | ||
metadata: | ||
annotations: | ||
rbac.authorization.kubernetes.io/autoupdate: "true" | ||
labels: | ||
kubernetes.io/bootstrapping: rbac-defaults | ||
name: system:kube-apiserver-to-kubelet | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- nodes/proxy | ||
- nodes/stats | ||
- nodes/log | ||
- nodes/spec | ||
- nodes/metrics | ||
verbs: | ||
- "*" | ||
- apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: system:kube-apiserver | ||
namespace: "" | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: system:kube-apiserver-to-kubelet | ||
subjects: | ||
- apiGroup: rbac.authorization.k8s.io | ||
kind: User | ||
name: kubernetes | ||
EOF | ||
``` | ||
|
||
Create the ```clusterrole``` and ```clusterrolebinding``` in the cluster. | ||
``` | ||
kubectl create -f kubelet-rbac.yaml | ||
``` | ||
|
||
## Verification | ||
|
||
While still logged into one of the controller nodes, list the registered Kubernetes nodes: | ||
|
||
``` | ||
kubectl get nodes | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the secure port is already listening, this is just used for the locally running control plane services.