Stack Overflow
Stack Overflow

Questions tagged [kubernetes-security]

Questions related to Kubernetes security: from deploying cluster securely to running secure workloads on it.

116 questions
3
votes
1 answer

RBAC Error in Kubernetes

I have deployed kubernetes v1.8 in my workplace. I have created roles for admin and view access to namespaces 3months ago. In the initial phase RBAC is working as per the access given to the users. Now RBAC is not happening every who has access to…
vamsi krishna
  • 33
  • 4
3
votes
1 answer

What is the name of the role that allows one to use oc/kubectl port-forward?

I'd like to create a Service Account which is allowed to do oc port-forward on OpenShift.com Online (AKA kubectl port-forward on Kubernetes), but can't for the life of me figure out which of the many roles I see in oc get clusterrole would permit…
vorburger
  • 3,439
  • 32
  • 38
3
votes
3 answers

Kubenates RunAsUser is forbidden

when I try to create a pods with non-root fsgroup (here 2000) apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: securityContext: runAsUser: 1000 fsGroup: 2000 volumes: - name: sec-ctx-vol emptyDir: {} …
Ravichandra
  • 2,162
  • 4
  • 24
  • 36
3
votes
1 answer

how to enable https tls on kubernetes GCE

I successfully deployed my web app on kubernetes in Google cloud. It is serving via http. I followed all guides on how to add ssl certificate and it was added according to Google cloud console however, it only work as http , when you try to access…
Mujtaba Alboori
  • 395
  • 1
  • 7
  • 20
3
votes
1 answer

Kubernetes CronJob public IP

I have simple Kubernetes CronJob connecting to a remote database. The remote database uses an IP filter, so each database connection should come from the same IP. Any thoughts on how to achieve this? Hint: I am using AKS (Azure).…
Tibor
  • 651
  • 1
  • 8
  • 18
3
votes
1 answer

Access Kubernetes API without kubectl

I am trying to access the Kubernetes API directly without running kubectl -proxy. But when I use the token of the serviceaccount default, I get a 403. Even after creating a ClusterRole and ClusterRoleBinding for this serviceaccount, the request is…
Robert Panzer
  • 1,419
  • 12
  • 14
3
votes
1 answer

Kubernetes authentication with certificate

I am trying to authenticate with a locally hosted Kubernetes cluster (v1.6.4) using a certificate. This takes part in the context of using the Kubernetes plugin for Jenkins. I am following the guidelines for Minikube in the Kubernetes-plugin README…
Carsten
  • 1,912
  • 1
  • 28
  • 55
3
votes
2 answers

Restricted Kubernetes dashboard?

Is it possible to have a restricted Kubernetes dashboard? The idea is to have a pod running kubectl proxy in the cluster (protected with basic HTTP authentication) to get a quick overview of the status: Log output of the pods Running services and…
user3151902
  • 3,154
  • 1
  • 19
  • 32
3
votes
3 answers

Secure access to a private helm repository

Is this even possible with helm? What options for security are possible (BasicAuth? Client Certs? OAuth2?) Is there any example / documentation about this (both server and client side)?
Denis Biondic
  • 7,943
  • 5
  • 48
  • 79
2
votes
1 answer

istio allowed incoming request from namespace which is not in allowed in authorization policy

I created an istio mesh setup as per this guide. Now my goal is to only allow access to product page service from the same namespace default, not from another namespace. so I created the below AuthorizationPolicy. If I apply only the first policy,…
k''
  • 702
  • 1
  • 8
  • 19
2
votes
2 answers

Kubernetes Secret is not stored in encoded format in environment variables

I am a beginner to Kubernetes. I have created a secret file and referred it in deployment yaml file. app-secret.yaml apiVersion: v1 kind: Secret metadata: name: app-secret data: username: YWRtaW4= password: YWRtaW4= deploy.yaml env: …
Varun
  • 85
  • 1
  • 7
2
votes
1 answer

Kubernetes client library AuthenticationException

I've been using the Kubernetes .net client library version for a while now to access the Kubernetes api from within a container. Today I updated from client library version 1.6.11 to 4.0.21 but this broke some part of the authentication of the…
Jurgy
  • 2,128
  • 1
  • 20
  • 33
2
votes
1 answer

How to encrypt actual storage/volume used by containers in Kubernetes environment?

In case of cloud managed kubernetes, whether AWS EKS, Azure AKS or Google GKE, the option to use customer managed key always comes at the cost of storing the customer master key in the cloud provider's own vault/KMS (e.g. aws kms or azure vault). In…
devcloud
  • 391
  • 5
  • 18
2
votes
1 answer

Kubectl - List only namespaces a user can access

Looking if the below scenario is possible or not - Lets say user(user1) have access only to namespaces default and marketing. When we perform kubectl get ns it should display both namespaces. No other namespaces should be displayed even if they…
Avinash Reddy
  • 1,153
  • 7
  • 23
2
votes
2 answers

TLS bootstrapping ,--token-auth-file, User "system:anonymous" cannot create certificatesigningrequests

why i set --token-auth-file on api-server and set --bootstrap-kubeconfig on the worker node, i was specified the username is "kubelet-bootstrap" on apiserver and the worker node, and i got the error says User "system:anonymous" ? error: failed to…
jerry
  • 25
  • 4
1 2
3
4 5 6 7 8