1

I have a scenario where I have to install Kubernetes on a public cloud and access the Kubernetes via kubectl from a VM on my laptop.

Kubectl accesses .kube/config to connect K8S API-Server to do the required operation.

There is an application that is running as docker inside the VM and connects to K8S using .kube/config that is mapped as volume. That is -v $HOME/.kube:/home/test/.kube

Is there any security loopholes should I be aware of?

schroeder
  • 123,438
  • 55
  • 284
  • 319
B_B
  • 111
  • 2

1 Answers1

2

If you give an application access to your Kubeconfig file you're giving it effectively your rights to every cluster defined in that file.

Kubeconfig files contain credentials for one or more clusters generally either as client certificates or as JWT tokens. An application with access to that file can then access those clusters. If the application running in the Docker container is malicious they could possibly exfiltrate that information and try to access the clusters defined in your Kubeconfig file (assuming they can reach them at a network level).

You should make sure that you're happy to trust the application running in the Docker container with access to these credentials.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • So essentially, it boils down to how much I trust the application running inside the docker?. Need to not worry about other aspects of security. – B_B Aug 11 '20 at 04:40
  • That's be the key concern I can see, what other aspects were you thinking of? – Rory McCune Aug 11 '20 at 07:54