0

We are deploying our companies first (RBAC enabled) kubernetes cluster for internal usage. The employees should be allowed to access it with their own (certificate based) credentials. The cluster is online available and hosted in a datacenter.

Should we allow the access throug a SSH tunnel/login only or is it save to publish the API server and disallow anonymous login?

Appreciate any advice!

chrstnwhlrt
  • 325
  • 6
  • 15
  • GKE works that way and if someone is able to get the certificate from an employee, they should also be able to get there ssh certificate. Can you add any additional form of mfa? – sigi Aug 01 '19 at 09:19
  • We are running the cluster on a datacenter using a bare-metal deployment. Besides the disabling anonymous logins is there anything else to consider? – chrstnwhlrt Aug 01 '19 at 10:45

1 Answers1

1

The answer to your question highly depends on your own ability to protect a publicly exposed endpoint.

However, for reference, the GKE model has the API server endpoint publicly exposed for authentication. This implies that the anonymous login is disabled.

Furthermore, they have the private cluster feature that also exposes the API server endpoint, but this time it's restricted to certain CIDRs, meaning that only certain ranges are allowed to authenticate against the public endpoint.

If you put these two together, you can approach this problem by exposing the API server only to your known client's addresses.

In the past, a private cluster on GKE required a bastion host to connect, so your secondary approach might as well be valid but less convinient.

yyyyahir
  • 255
  • 1
  • 6
  • Thank you for mentioning the GKE way. Is the Kubernetes API server even meant to be public available? – chrstnwhlrt Aug 01 '19 at 11:01
  • Depends on the setup. For local Kubernetes installation it can be private. For GKE or other managed solutions, is necessary (due design decisions) to make it public. Completely depends on the context. – yyyyahir Aug 01 '19 at 13:55