1.5 KiB
Secuirty Hardning of Kubernetes API Server
After cluster installed through KubeSpray, the kube-apiserver allows anonymous access of APIs, that is insecure when Kubernetes API Server secured ports are public.
So we need to manually sets the --anonymous-auth=false flags in Kubernetes API Server manifests (/etc/kubernetes/manifests/kube-apiserver.yaml).
We need create service account to make probes work when we disable anonymous auth.
How to patch it ?
First we need apply probe-sa.yaml to cluster to create service account and secrets for kube-apiserver's probes.
kubectl apply -f probe-sa.yaml
Now we can get created token from secret kube-api-server-probe-sa-token.
kubectl get secret kube-api-server-probe-sa-token -o jsonpath='{.data.token}' -n kube-system | base64 --decode
You need copy token and add this snippet into kube-apiserver.yaml on each master node.
readinessProbe:
...
httpGet:
...
httpHeaders:
- name: Authorization
value: Bearer <TOKEN>
lievenessProbe:
...
httpGet:
...
httpHeaders:
- name: Authorization
value: Bearer <TOKEN>
startupProbe:
...
httpGet:
...
httpHeaders:
- name: Authorization
value: Bearer <TOKEN>
After you have made the modifications and saved the file, the kubelet will automatically create a new kube-apiserver pod.
You can determine if the configuration is correct by checking the ready status (1/1) of the pod.