Hi there,
We use Kubernetes Managed Kubernetes, and became recently concerned about the potential security vulnerability.
Access to the cluster is granted with the “kubeconfig” which contains Kubernetes API token. So the only thing it takes for anyone to get access to the entire cluster and application environment is to get content from that file.
Is there a recommended way of handling this problem? Is it possible to restrict access behind a firewall, or disable root type of access and use a solution like Teleport?
Please share your experience.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Hi there,
A quick update here in case that anyone comes across this in the future.
DigitalOcean has just announced that Control plane firewalls are now available in Early Availability.
The feature improves security and traffic for your cluster. Once enabled, only configured IP addresses, cluster worker nodes and workloads, and internal systems that manage the cluster (such as cluster upgrades) can access the control plane.
Existing open connections continue to work until they terminate. However, for
WATCH
requests, the API server enforces a maximum of 30 minutes for terminating the open connection.For more information, see How to Add a Control Plane Firewall.
- Bobby
This comment has been deleted