2

We have a Kubernetes cluster (kube-)sprayed over 4 nodes running CoreOS. Our most important services will run in this Kubernetes environment and we are trying to do everything we can to make it as secure as possible, however we plant to expose the API port (6443) to the internet.

Is that considered safe to do?

We did the following so far:

  • We disabled anonymous access (with the --anonymous-auth=false flag).

  • Certificate checking seems to work fine, without providing client-certificate-data, I can't access anything on the cluster.

  • We are planning to use RBAC authorization.

  • We currently have the latest version of kubernetes installed (and we plan to update quickly as new fixes release).

  • We have a firewall with rate-limiting set up to mitigate brute force attacks.

  • The switch we bought for the server support DDoS protection.

Are there any further steps we could take to make that exposed port secure? Or is it completely ill-advised to do so?

barney.balazs
  • 143
  • 4

1 Answers1

1

The steps you have taken seem to be sufficient for securing api port

The only thing to verify is, if you are using K8s prior v1.10 you can disable insecure port by setting --insecure-port=0, so only encrypted traffic will be allowed.

Sometimes it's not possible, because of health check configuration or bootstrapping mechanisms. If that's the case firewall the port from public and internal access. This flag is deprecated since v1.10.

This article might be also helpful in terms of security best practices

A_Suh
  • 324
  • 1
  • 7