K
Q

how to block the option to `kubectl exec` and any other external connection to certain container on cluster

9/9/2019

I have a cluster hosted on GKE, I have several deployments on this cluster,
I can connect with kubectl exec to the pods:

kubectl exec -it mypod-1234566-7890976 -- bash

I want to remove the option to connect with kubectl exec to a certain container

is there a way to block the option to connect to the container by blocking the ssh on the DOCKERFILE of the container? or any other way

-- dina
docker
google-kubernetes-engine
kubernetes

Similar Questions

If crictl can pull an image from localhost, why does k3s fail to deploy it on localhost?
Nginx reverse proxy root URI issue
Can't use persistent host key on sftp kubernetes deployment
Service to Service Communication with Keycloak Gatekeeper Active for RBAC
Getting Status code 422 when creating Kubernetes Job using nodejs

2 Answers

9/9/2019

You can block access to certain object/resource using proper rbac configuration.

This might be helpful.

-- FL3SH
Source: StackOverflow
9/9/2019

To limit the ability to kubectl exec to pods what you want to do is create a custom Role & RoleBinding that removes the create verb for the pods/exec resource. An easy approach to this might be to copy the default RBAC policies, and then make the appropriate edit and rename.

Because of how RBAC works, the finest granularity you could apply to this is per-namespace, but it's not possible to filter this to a particular pod/deployment/etc.

As for other inbound external connections to a pod, this shouldn't be possible by default, unless you have created an Ingress and/or Service to specifically do this. This is because by in large most providers will be using private IP address ranges for the node IP's and also the Pod networking, hence they aren't reachable from outside without some NAT'ing or Proxying.

Hope this helps.

-- cewood
Source: StackOverflow