如何保护 kubectl 访问?
[英]How to secure kubectl access?
问题描述
How to secure .kube/config , so that even if our computer containing that file is compromised, our cluster is still secure?
如何保护.kube/config ,以便即使我们包含该文件的计算机遭到破坏,我们的集群仍然是安全的?
eg It's not as straightforward as running kubectl delete deployment to delete our deployment (assuming we are the super admin in RBAC)例如,它不像运行kubectl delete deployment来删除我们的部署那么简单(假设我们是 RBAC 中的超级管理员)
1 个解决方案
解决方案1
1 2018-11-07 20:02:01
There are multiple ways of doing this, in case your machine gets compromised and you want to disable access to the cluster.有多种方法可以做到这一点,以防您的机器受到威胁并且您想禁用对集群的访问。 Note that no solution will prevent a small window where a hacker can gain access and do some damage.请注意,没有任何解决方案可以阻止黑客获得访问权限并造成一些损害的小窗口。
OIDC authentication (OpenID Connect).
OIDC身份验证(OpenID Connect)。 Mitigation -> Disable the OIDC user on the OIDC provider and enable a lifetime for the session in the OIDC provider.缓解 -> 在 OIDC 提供程序上禁用 OIDC 用户并在 OIDC 提供程序中为会话启用生命周期。Webhook authentication.
网络钩子身份验证。 Mitigation -> disable client certs on the webhook service and the token lifetime is controlled by --authentication-token-webhook-cache-ttlwhich defaults to 2 minutes.缓解 -> 在 webhook 服务上禁用客户端证书,令牌生存期由--authentication-token-webhook-cache-ttl,默认为 2 分钟。 In this case, the webhook service manages the tokens on your K8s cluster.在这种情况下,webhook 服务管理 K8s 集群上的令牌。Authenticating Proxy .
验证代理。 Mitigation -> disable users on the proxy.缓解 -> 禁用代理上的用户。Client Go credential plugins .
Client Go 凭证插件。 Mitigation -> Disable user in the provider where the plugin is authenticating with.缓解 -> 在插件进行身份验证的提供程序中禁用用户。 For example, the AWS IAM Authenticator uses this, so you would delete or disable the IAM user on AWS.例如, AWS IAM 身份验证器使用它,因此您将删除或禁用 AWS 上的 IAM 用户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.