Kubelet配置
默认情况下,kubelet监听的10250端口没有进行任何认证鉴权,导致通过这个端口可以对kubelet节点上运行的容器进行任何操作,如:curl -k -XPOST "https://k8s-node-1:10250/run/demo-ns/demo-pod/demo" -d "cmd=ls -la /",因此需要配置一些参数防止这种情况发生。
Kubelet支持X509证书认证和API bearer token认证,我们暂且只配置X509证书认证:
给kubelet增加X509证书认证,且禁止匿名访问
--client-ca-file XXX --anonymous-auth=false给apiserver增加访问kubelet时的证书,否则apiserver将无法访问kubelet
--kubelet-client-certificate XXX --kubelet-client-key XXX
参考资料
kubelet-exploit: https://github.com/kayrus/kubelet-exploit
Kubelet authentication/authorization: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/
Master-Node communication: https://kubernetes.io/docs/concepts/architecture/master-node-communication/
Kubernetes Security Best-Practices: https://dev.to/petermbenjamin/kubernetes-security-best-practices-hlk#network-policies
Last updated
Was this helpful?