K
Q

Blocking access to the Kubernetes API from containers in Google Container Engine

6/9/2016

As far as I've been able to see, it is not yet possible to control Kubernetes API access from containers deployed on a Google-managed Kubernetes cluster. All containers get a token mounted as a secret and environment variables with information about the endpoint.

I am exploring the possibility of allowing users to upload code that gets deployed into containers in the cluster and I would like to block access to the API. See: https://stackoverflow.com/a/30739416/270628.

To enable ABAC or any other type of control for the cluster, I would have to deploy my own Kubertenes cluster through GCP. I'd like to avoid having to do this.

So, is it possible to prevent the mounting of those secrets or perhaps remove those secrets upon pod creation? If so, is there a recommended way?

Thank you,

-- luisgo
google-kubernetes-engine
kubernetes

Similar Questions

Are pods managed by a Deployment restarted when updating a Kubernetes cluster
Kubernetes a master turned into a minion?
How to assign custom external/public IP for Kubernetes v1.2 Ingress resource on GKE?
Do Kubernetes persistent volume claims bind again if the persistent volume is being deleted and recreated?

1 Answer

6/10/2016

You are correct that it isn't possible to create a pod without the service account being added (see https://github.com/kubernetes/kubernetes/issues/16779). If you have control over the yaml files that create pods, you can follow this advice to mount an emptyDir volume on top of the service account to prevent the pod from accessing the credentials.

-- Robert Bailey
Source: StackOverflow