How to secure kubectl access?
Question
How to secure .kube/config , so that even if our computer containing that file is compromised, our cluster is still secure?
eg It's not as straightforward as running kubectl delete deployment to delete our deployment (assuming we are the super admin in RBAC)
1 answers
solution1
1 2018-11-07 20:02:01
There are multiple ways of doing this, in case your machine gets compromised and you want to disable access to the cluster. Note that no solution will prevent a small window where a hacker can gain access and do some damage.
OIDC authentication (OpenID Connect). Mitigation -> Disable the OIDC user on the OIDC provider and enable a lifetime for the session in the OIDC provider.
Webhook authentication. Mitigation -> disable client certs on the webhook service and the token lifetime is controlled by
--authentication-token-webhook-cache-ttlwhich defaults to 2 minutes. In this case, the webhook service manages the tokens on your K8s cluster.Authenticating Proxy . Mitigation -> disable users on the proxy.
Client Go credential plugins . Mitigation -> Disable user in the provider where the plugin is authenticating with. For example, the AWS IAM Authenticator uses this, so you would delete or disable the IAM user on AWS.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.