KOPS lets us create a Kubernetes cluster along with a bastion that has ssh access to the cluster nodes
With this setup is it still considered safe to use kubectl
to interact with the Kubernetes API server?
kubectl
can also be used to interact with shell on the pods? Does this need any restrictions?
What are the precautionary steps that need to be taken if any? Should the Kubernetes API server also be made accessible only through the bastion?
Kops provides reasonable defaults, so the simple answer is : it is reasonably safe to use kops provisioned infrastructure as is after provisioning.
Deploying a Kubernetes cluster with the default Kops settings isn’t secure at all and shouldn’t be used in production as such. There are multiple configuration settings that can be done using kops edit command. Following points should be considered after creating a Kubnertes Cluster via Kops:
kubeAPIServer: auditLogMaxAge: 10 auditLogMaxBackups: 1 auditLogMaxSize: 100 auditLogPath: /var/log/kube-apiserver-audit.log auditPolicyFile: /srv/kubernetes/audit.yaml