How to enforce authentication and authorization modules on insecure kubernetes api server port

9/6/2019

I have enabled the API server over insecure port on the private subnet, with the following flag

- --insecure-port=8080
- --insecure-bind-address=0.0.0.0

As a result of this it bypasses authentication and authorization modules. which is perfectly well documented in the https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/

I tried to adding the flag --anonymous-auth=false doesn't solve the purpose

Here is the complete list of API command

- kube-apiserver
- --advertise-address=192.0.3.6
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --anonymous-auth=false
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --insecure-port=8080
- --insecure-bind-address=0.0.0.0
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key

As per security I know insecure shouldn't be used for communication this is complete isolated network and i'm trying to enable authentication and authorization modules over the insecure port

-- anish
kubernetes

1 Answer

9/6/2019

By default, the insercure port will bypass authentication and authorization modules, as its primary task is to bosstrap and test the server, not to actually act as the main port.

The authentication and authorization modules can be enabled in the secure port.

Wrapping up, the port you want to secure, is not meant to have these modules enabled.

-- yyyyahir
Source: StackOverflow