I have enabled the API server over insecure port on the private subnet, with the following flag
- --insecure-port=8080
- --insecure-bind-address=0.0.0.0
As a result of this it bypasses authentication and authorization modules. which is perfectly well documented in the https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/
I tried to adding the flag --anonymous-auth=false
doesn't solve the purpose
Here is the complete list of API command
- kube-apiserver
- --advertise-address=192.0.3.6
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --anonymous-auth=false
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --insecure-port=8080
- --insecure-bind-address=0.0.0.0
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
As per security I know insecure shouldn't be used for communication this is complete isolated network and i'm trying to enable authentication and authorization modules over the insecure port
By default, the insercure port will bypass authentication and authorization modules, as its primary task is to bosstrap and test the server, not to actually act as the main port.
The authentication and authorization modules can be enabled in the secure port.
Wrapping up, the port you want to secure, is not meant to have these modules enabled.