1

I am trying to make my Master Server-API more secure in order to avoid allowing non https requests to go through.

Sample of config:

$ kubectl config view
apiVersion: v1
clusters:
- cluster:
    server: https://ip:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
    token: REDACTED

Which works as long as I am using the correct CAs.

My problem is it also works if I remove the CAs or I have wrongly CAs and simply I apply the flag --insecure-skip-tls-verify.

How can I force the server to allow https connections instead of http on the Server-API?

I have also disabled anonymous requests Anonymous requests but I can still see the requests can pass through.

Thanos
  • 473
  • 6
  • 12
  • 1
    Could you share more information about your environment? What Kubernetes version are you using? Its your local env? Do you want to use some 3rd party software likne `Nginx Ingress Controller` or you want to use pure Kubernetes way? If you will check [kubernetes docs](https://kubernetes.io/docs/reference/kubectl/kubectl/) you will find description about `--insecure-skip-tls-verify` - `If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure` In short, with this parameter Kubernetes will skip validating CA. In short you want force HTTPS? – PjoterS Dec 10 '20 at 17:40
  • Hello @PjoterS, yes it is a cluster on bare metal. I use ingress and also an external LB that I have configured as ssl pass through for port 6443. You got it exactly right I want to enforce https only not accept http. I do not allow through the LB the port 8080 to pass through but on port 6443 if I use the flag `--insecure-skip-tls-verify` the API accepts the request. How can I stop this and allow only https? Thank you in advance for your time and effort. – Thanos Dec 11 '20 at 07:58

1 Answers1

1

My problem is it also works if I remove the CAs or I have wrongly CAs and simply I apply the flag --insecure-skip-tls-verify.

Using --insecure-skip-tls-verify is highly NOT RECOMMENDED in production environment. It can be used when you want to do some local tests or for learning purpose.

In Kubectl documentation you have information:

--insecure-skip-tls-verify

If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure

So, if this flag will be set as true, it will always skip certs and identity of server is not checked at all. It's similar to curl -k

-k, --insecure
              (TLS) By default, every SSL connection curl makes is verified to
              The  server  connection  is verified by making sure the server's
              interface name, IP address or host name.

You can secure your cluster in many ways but it depends on scenario. However, there are some main API server ports and IPs concepts:

Use SecurePort

By default the Kubernetes API server serves HTTP on 2 ports:

  1. localhost port:
  • is intended for testing and bootstrap, and for other components of the master >node (scheduler, controller-manager) to talk to the API
  • no TLS
  • Disable insecure http connections: default is port 8080, change with --insecure-port flag. (It can be disabled by --insecure-port=0)
  • default IP is localhost, change with --insecure-bind-address flag. (Remove --insecure-bind-address)
  • request bypasses authentication and authorization modules.
  • request handled by admission control module(s).
  • protected by need to have host access
  1. Secure port:
  • use whenever possible Enable secure port:
  • uses TLS. Set cert with --tls-cert-file and key with --tls-private-key-file flag.
  • default is port 6443, change with --secure-port flag.
  • default IP is first non-localhost network interface, change with --bind-address flag.
  • request handled by authentication and authorization modules.
  • request handled by admission control module(s).
  • authentication and authorization modules run.

Restrict API access, meaning you should allow access to your api only from specific IP or specific IP range (authorized networks). It shouldn't be accessible from the outside of the world. To do it, you may use firewall rules or Network Policy.

Turn off Anonymouse Requests, which you already did.

You can look into --insecure-port=0, however it should be deprecated in newer versions.

As an additional information, I would advise you to check Kubernetes The Hard Way, especially 3 chapters: Provisioning Compute Resources, Provisioning the CA and Generating TLS Certificates, Generating Kubernetes Configuration Files for Authentication. You can find there some best practices.

Very good explanation of the Kube API-server flags you can find in this article

Useful links about Cluster Security:

The Basics of Keeping Kubernetes Clusters Secure - How to secure the kube-apiserver

Controlling Access to the Kubernetes API

Kubernetes security best practices

Kubernetes Security 101: Risks and 29 Best Practices

Controlling Access to the Kubernetes API

Accessing Clusters

PjoterS
  • 615
  • 3
  • 11