Security best practice fixes (#1783)
* Disable basic and token auth by default * Add recommended security params * allow basic auth to fail in tests * Enable TLS authentication for kubelet
This commit is contained in:
Matthew Mosesohn
GitHub
parent
66e5e14bac
commit
d487b2f927
9 changed files with 23 additions and 8 deletions
|
|
@ -93,7 +93,8 @@ the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-applicati
|
||||||
Accessing Kubernetes Dashboard
|
Accessing Kubernetes Dashboard
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
If the variable `dashboard_enabled` is set (default is true), then you can
|
If the variable `dashboard_enabled` is set (default is true) as well as
|
||||||
|
kube_basic_auth (default is false), then you can
|
||||||
access the Kubernetes Dashboard at the following URL:
|
access the Kubernetes Dashboard at the following URL:
|
||||||
|
|
||||||
https://kube:_kube-password_@_host_:6443/ui/
|
https://kube:_kube-password_@_host_:6443/ui/
|
||||||
|
|
@ -102,6 +103,9 @@ To see the password, refer to the section above, titled *Connecting to
|
||||||
Kubernetes*. The host can be any kube-master or kube-node or loadbalancer
|
Kubernetes*. The host can be any kube-master or kube-node or loadbalancer
|
||||||
(when enabled).
|
(when enabled).
|
||||||
|
|
||||||
|
To access the Dashboard with basic auth disabled, follow the instructions here:
|
||||||
|
https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#command-line-proxy
|
||||||
|
|
||||||
Accessing Kubernetes API
|
Accessing Kubernetes API
|
||||||
------------------------
|
------------------------
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -50,8 +50,8 @@ kube_users:
|
||||||
|
|
||||||
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
|
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
|
||||||
#kube_oidc_auth: false
|
#kube_oidc_auth: false
|
||||||
#kube_basic_auth: true
|
#kube_basic_auth: false
|
||||||
#kube_token_auth: true
|
#kube_token_auth: false
|
||||||
|
|
||||||
|
|
||||||
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
|
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
|
||||||
|
|
|
||||||
|
|
@ -52,8 +52,8 @@ kube_api_runtime_config:
|
||||||
- admissionregistration.k8s.io/v1alpha1
|
- admissionregistration.k8s.io/v1alpha1
|
||||||
|
|
||||||
## Enable/Disable Kube API Server Authentication Methods
|
## Enable/Disable Kube API Server Authentication Methods
|
||||||
kube_basic_auth: true
|
kube_basic_auth: false
|
||||||
kube_token_auth: true
|
kube_token_auth: false
|
||||||
kube_oidc_auth: false
|
kube_oidc_auth: false
|
||||||
|
|
||||||
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
|
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
|
||||||
|
|
|
||||||
|
|
@ -48,7 +48,7 @@ apiServerExtraArgs:
|
||||||
{% endif %}
|
{% endif %}
|
||||||
storage-backend: {{ kube_apiserver_storage_backend }}
|
storage-backend: {{ kube_apiserver_storage_backend }}
|
||||||
{% if kube_api_runtime_config is defined %}
|
{% if kube_api_runtime_config is defined %}
|
||||||
runtime-config: {{ kube_api_runtime_config }}
|
runtime-config: {{ kube_api_runtime_config | join(',') }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
allow-privileged: "true"
|
allow-privileged: "true"
|
||||||
controllerManagerExtraArgs:
|
controllerManagerExtraArgs:
|
||||||
|
|
|
||||||
|
|
@ -40,6 +40,11 @@ spec:
|
||||||
- --service-cluster-ip-range={{ kube_service_addresses }}
|
- --service-cluster-ip-range={{ kube_service_addresses }}
|
||||||
- --service-node-port-range={{ kube_apiserver_node_port_range }}
|
- --service-node-port-range={{ kube_apiserver_node_port_range }}
|
||||||
- --client-ca-file={{ kube_cert_dir }}/ca.pem
|
- --client-ca-file={{ kube_cert_dir }}/ca.pem
|
||||||
|
- --profiling=false
|
||||||
|
- --repair-malformed-updates=false
|
||||||
|
- --kubelet-client-certificate={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem
|
||||||
|
- --kubelet-client-key={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem
|
||||||
|
- --service-account-lookup=true
|
||||||
{% if kube_basic_auth|default(true) %}
|
{% if kube_basic_auth|default(true) %}
|
||||||
- --basic-auth-file={{ kube_users_dir }}/known_users.csv
|
- --basic-auth-file={{ kube_users_dir }}/known_users.csv
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
|
||||||
|
|
@ -37,9 +37,11 @@ spec:
|
||||||
- --node-monitor-grace-period={{ kube_controller_node_monitor_grace_period }}
|
- --node-monitor-grace-period={{ kube_controller_node_monitor_grace_period }}
|
||||||
- --node-monitor-period={{ kube_controller_node_monitor_period }}
|
- --node-monitor-period={{ kube_controller_node_monitor_period }}
|
||||||
- --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }}
|
- --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }}
|
||||||
|
- --profiling=false
|
||||||
|
- --terminated-pod-gc-threshold=12500
|
||||||
- --v={{ kube_log_level }}
|
- --v={{ kube_log_level }}
|
||||||
{% if rbac_enabled %}
|
{% if rbac_enabled %}
|
||||||
- --use-service-account-credentials
|
- --use-service-account-credentials=true
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %}
|
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %}
|
||||||
- --cloud-provider={{cloud_provider}}
|
- --cloud-provider={{cloud_provider}}
|
||||||
|
|
|
||||||
|
|
@ -28,6 +28,7 @@ spec:
|
||||||
- scheduler
|
- scheduler
|
||||||
- --leader-elect=true
|
- --leader-elect=true
|
||||||
- --kubeconfig={{ kube_config_dir }}/kube-scheduler-kubeconfig.yaml
|
- --kubeconfig={{ kube_config_dir }}/kube-scheduler-kubeconfig.yaml
|
||||||
|
- --profiling=false
|
||||||
- --v={{ kube_log_level }}
|
- --v={{ kube_log_level }}
|
||||||
{% if kube_feature_gates %}
|
{% if kube_feature_gates %}
|
||||||
- --feature-gates={{ kube_feature_gates|join(',') }}
|
- --feature-gates={{ kube_feature_gates|join(',') }}
|
||||||
|
|
|
||||||
|
|
@ -14,6 +14,9 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
|
||||||
--pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }} \
|
--pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }} \
|
||||||
--node-status-update-frequency={{ kubelet_status_update_frequency }} \
|
--node-status-update-frequency={{ kubelet_status_update_frequency }} \
|
||||||
--docker-disable-shared-pid={{ kubelet_disable_shared_pid }} \
|
--docker-disable-shared-pid={{ kubelet_disable_shared_pid }} \
|
||||||
|
--client-ca-file={{ kube_cert_dir }}/ca.pem \
|
||||||
|
--tls-cert-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem \
|
||||||
|
--tls-private-key-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
|
||||||
{% if kube_version | version_compare('v1.6', '>=') %}
|
{% if kube_version | version_compare('v1.6', '>=') %}
|
||||||
{# flag got removed with 1.7.0 #}
|
{# flag got removed with 1.7.0 #}
|
||||||
{% if kube_version | version_compare('v1.7', '<') %}
|
{% if kube_version | version_compare('v1.7', '<') %}
|
||||||
|
|
|
||||||
|
|
@ -8,5 +8,5 @@
|
||||||
user: kube
|
user: kube
|
||||||
password: "{{ lookup('password', '../../credentials/kube_user length=15 chars=ascii_letters,digits') }}"
|
password: "{{ lookup('password', '../../credentials/kube_user length=15 chars=ascii_letters,digits') }}"
|
||||||
validate_certs: no
|
validate_certs: no
|
||||||
status_code: 200
|
status_code: 200,401
|
||||||
when: not kubeadm_enabled|default(false)
|
when: not kubeadm_enabled|default(false)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue