Kubelet配置

默认情况下，kubelet监听的10250端口没有进行任何认证鉴权，导致通过这个端口可以对kubelet节点上运行的容器进行任何操作，如：curl -k -XPOST "https://k8s-node-1:10250/run/demo-ns/demo-pod/demo" -d "cmd=ls -la /"，因此需要配置一些参数防止这种情况发生。

Kubelet支持X509证书认证和API bearer token认证，我们暂且只配置X509证书认证：

给kubelet增加X509证书认证，且禁止匿名访问
--client-ca-file XXX --anonymous-auth=false
给apiserver增加访问kubelet时的证书，否则apiserver将无法访问kubelet
--kubelet-client-certificate XXX --kubelet-client-key XXX

参考资料

kubelet-exploit: https://github.com/kayrus/kubelet-exploit
Kubelet authentication/authorization: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/
Master-Node communication: https://kubernetes.io/docs/concepts/architecture/master-node-communication/
TLS bootstrapping: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/
Kubernetes Security Best-Practices: https://dev.to/petermbenjamin/kubernetes-security-best-practices-hlk#network-policies

Previous理解证书 Next垃圾回收

Last updated 5 years ago