Questions related to Kubernetes security: from deploying cluster securely to running secure workloads on it.
Questions tagged [kubernetes-security]
116 questions
1
vote
1 answer
How prevent user from creating a pod with a specific label?
I know how to use RBAC with X.509 certificates to identify a user of kubectl and restrict them (using Role and RoleBinding) from creating pods of any kind in a namespace. However, I don't know how I can prevent them from putting specific labels on a…
Don Rhummy
- 24,730
- 42
- 175
- 330
1
vote
1 answer
Jenkins Kubernetes builds fail with Forbidden (user=system:anonymous, verb=get, resource=nodes, subresource=proxy)
Exec Summary
Jenkins is running in a Kubernetes cluster just upgrade to 1.19.7 but now jenkins build scripts are failing when running
sh "kubectl --kubeconfig ${args.config} config use-context ${args.context}"
to give…
Nicholas Davies
- 11
- 2
1
vote
1 answer
Seperate CA for etcd in Kubernetes?
I was going through Control Plane Security in Google cloud(GKE) course and referring to 'certificate authority and cluster trust' in the link below and have these questions. Can someone clarify these ?.…
deals my
- 127
- 6
1
vote
3 answers
EKS Kubernetes user with RBAC seen as system:anonymous
I've been following this post to create user access to my kubernetes cluster (running on Amazon EKS). I did create key, csr, approved the request and downloaded the certificate for the user. Then I did create a kubeconfig file with the key and crt.…
Eren Güven
- 2,314
- 19
- 27
1
vote
3 answers
How to config Kubernetes Ingress Nginx anontations whitelist only apply to http
I have config my ingress support SSL:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: "service"
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: "x.x.x.x/xx"
nginx.ingress.kubernetes.io/ssl-redirect:…
Huy Chau
- 2,178
- 19
- 26
1
vote
2 answers
Can I use the Ambassador to authenticate service-to-service communication inside a Kubernetes cluster?
I have a Kubernetes cluster with services and I use Ambassador as an API gateway between outside world and my services.
With Ambassador I know that I can use a service, which I have, to check authentication and authorization for incoming requests…
Nordkraft
- 125
- 2
- 9
1
vote
0 answers
Kubernetes kubelet security issue
We are using EKS that is integrated with Vault using kubernetes as 'auth-backend' for Vault. One of the security flaw we see is that, if someone has access to kubelet certs, they can impersonate kubelet and hence can acquire secret for a service…
Rajarajan Pudupatti Sundari Je
- 2,136
- 1
- 13
- 12
1
vote
4 answers
Spring boot service in kubernetes always responses with HTTP status 400
We have Spring Boot service running in Kubernetes.
This service has endpoint:
- GET /healthz
We have liveness probe that uses this endpoint. Probe runs successfully.
It means that the endpoint is reachable from the service pod (localhost).
When…
Tantre
- 33
- 2
- 9
1
vote
1 answer
Kubernetes secrets and spring boot configuration
Our service is running in kubernetes cluster.
I'm trying to make our service to be secured by SSL.
For that purpose I added to application.properties:
security.require-ssl=true…
Tantre
- 33
- 2
- 9
1
vote
1 answer
k8s gce1.8.7 - pods is forbidden - Unknown user system:serviceaccount:default:default
I have a mongo database in the gce . (config see below)
when i deploy it to a 1.7.12-gke.1 everything works fine. Which means the sidecar resolves the pods and links then
now when i deploy the same konfiguration to 1.8.7-gke.1 resultes in missing…
Boas Enkler
- 12,264
- 16
- 69
- 143
1
vote
0 answers
Isolate single container in pod
I'm porting an application to k8s. The application currently consists of pairs of dockers, Trusted and Untrusted, where Trusted is connected to the regular bridge network and talks to internal services, while Untrusted is connected to a separate…
Roee Shenberg
- 1,457
- 1
- 13
- 22
1
vote
2 answers
Multiple Certficiation Authority certificates (?)
I have created a kubernetes cluster on aws using kops.
Unless I am wrong, the ca.crt and ca.key files are in the following locations as indicated by this very helpful answer:
- s3:////pki/private/ca/*.key
-…
pkaramol
- 16,451
- 43
- 149
- 324
1
vote
1 answer
Error generating CA certificate and private key using cfssl and kubernetes
I am using cfssl to generate CSR.
I have below json format
{
"CN": "ambika",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"O": "system:masters"
}
]
}
root@vagrant-xenial64:~/bin# cat csr.json | cfssl genkey - | cfssljson …
ambikanair
- 4,004
- 11
- 43
- 83
1
vote
1 answer
Kubernetes API proxy for HTTPS endpoints
Kubernetes surfaces an API proxy, which allows querying the internal services via eg: https://myhost.com/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/
This is all well, and good. However, for security & compliance reasons, all…
Silver Dragon
- 5,480
- 6
- 41
- 73
1
vote
1 answer
In Kubernetes 1.6,when using the ssl authentication, the Kubelet service cannot start , why?
When I execute "systemctl start kubelet " the command, the result show "error: failed to run kubelet: cannot create certificate signing request: the server has asked for the client to provide credentials (post…
Jay
- 113
- 8