Kubelet配置

默认情况下，kubelet监听的10250端口没有进行任何认证鉴权，导致通过这个端口可以对kubelet节点上运行的容器进行任何操作，如：curl -k -XPOST "https://k8s-node-1:10250/run/demo-ns/demo-pod/demo" -d "cmd=ls -la /"，因此需要配置一些参数防止这种情况发生。

Kubelet支持X509证书认证和API bearer token认证，我们暂且只配置X509证书认证：

• 给kubelet增加X509证书认证，且禁止匿名访问

  --client-ca-file XXX --anonymous-auth=false

• 给apiserver增加访问kubelet时的证书，否则apiserver将无法访问kubelet

  --kubelet-client-certificate XXX --kubelet-client-key XXX

参考资料

• kubelet-exploit: https://github.com/kayrus/kubelet-exploit

• Kubelet authentication/authorization: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/

• Master-Node communication: https://kubernetes.io/docs/concepts/architecture/master-node-communication/

• TLS bootstrapping: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/

• Kubernetes Security Best-Practices: https://dev.to/petermbenjamin/kubernetes-security-best-practices-hlk#network-policies