K
Q

kubectl exec vs ssh using bastion

8/10/2018

KOPS lets us create a Kubernetes cluster along with a bastion that has ssh access to the cluster nodes

With this setup is it still considered safe to use kubectl to interact with the Kubernetes API server?

kubectl can also be used to interact with shell on the pods? Does this need any restrictions?

What are the precautionary steps that need to be taken if any? Should the Kubernetes API server also be made accessible only through the bastion?

-- tushar
kops
kubectl
kubernetes
security

Similar Questions

spark on k8s - Error 'Invalid initial heap size: -Xms'
How to use service name instead of External IP/domain name for a service endpoint url in kubernetes
kubernetes CI/CD: automate docker build, tag and push tasks on a CI/CD infrastructure
Connect Flask pod with mongodb pod in kubernetes.
How to allow an assume role connect from EC2 to EKS on AWS?
Ssh config for Jenkins when using helm and k8s

2 Answers

8/10/2018

Kops provides reasonable defaults, so the simple answer is : it is reasonably safe to use kops provisioned infrastructure as is after provisioning.

-- Radek 'Goblin' Pieczonka
Source: StackOverflow
8/13/2018

Deploying a Kubernetes cluster with the default Kops settings isn’t secure at all and shouldn’t be used in production as such. There are multiple configuration settings that can be done using kops edit command. Following points should be considered after creating a Kubnertes Cluster via Kops:

  • Cluster Nodes in Private Subnets (existing private subnets can be specified using --subnets with the latest version of kops)
  • Private API LoadBalancer (--api-loadbalancer-type internal)
  • Restrict API Loadbalancer to certain private IP range (--admin-access 10.xx.xx.xx/24)
  • Restrict SSH access to Cluster Node to particular IP (--ssh-access xx.xx.xx.xx/32)
  • Hardened Image can also be provisioned as Cluster Nodes (--image )
  • Authorization level must be RBAC. With latest Kubernetes version, RBAC is enabled by default.
  • The Audit logs can be enabled via configuration in Kops edit cluster. kubeAPIServer: auditLogMaxAge: 10 auditLogMaxBackups: 1 auditLogMaxSize: 100 auditLogPath: /var/log/kube-apiserver-audit.log auditPolicyFile: /srv/kubernetes/audit.yaml
-- priyanka sharma
Source: StackOverflow