Question

How To Secure Access To Cluster

Posted on August 30, 2023
Security DigitalOcean Managed Kubernetes Firewall Kubernetes
Asked by Artem Brezhnev

Hi there,

We use Kubernetes Managed Kubernetes, and became recently concerned about the potential security vulnerability.

Access to the cluster is granted with the “kubeconfig” which contains Kubernetes API token. So the only thing it takes for anyone to get access to the entire cluster and application environment is to get content from that file.

Is there a recommended way of handling this problem? Is it possible to restrict access behind a firewall, or disable root type of access and use a solution like Teleport?

Please share your experience.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev

Site Moderator

• July 8, 2024

Hi there,

A quick update here in case that anyone comes across this in the future.

DigitalOcean has just announced that Control plane firewalls are now available in Early Availability.

The feature improves security and traffic for your cluster. Once enabled, only configured IP addresses, cluster worker nodes and workloads, and internal systems that manage the cluster (such as cluster upgrades) can access the control plane.

Existing open connections continue to work until they terminate. However, for WATCH requests, the API server enforces a maximum of 30 minutes for terminating the open connection.

For more information, see How to Add a Control Plane Firewall.

- Bobby

Bobby Iliev

Site Moderator

• March 25, 2024

This comment has been deleted