Security best practice fixes (#1783)

* Disable basic and token auth by default

* Add recommended security params

* allow basic auth to fail in tests

* Enable TLS authentication for kubelet
pull/1780/head
Matthew Mosesohn 2017-10-15 20:41:17 +01:00 committed by GitHub
parent 66e5e14bac
commit d487b2f927
9 changed files with 23 additions and 8 deletions

View File

@ -93,7 +93,8 @@ the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-applicati
Accessing Kubernetes Dashboard
------------------------------
If the variable `dashboard_enabled` is set (default is true), then you can
If the variable `dashboard_enabled` is set (default is true) as well as
kube_basic_auth (default is false), then you can
access the Kubernetes Dashboard at the following URL:
https://kube:_kube-password_@_host_:6443/ui/
@ -102,6 +103,9 @@ To see the password, refer to the section above, titled *Connecting to
Kubernetes*. The host can be any kube-master or kube-node or loadbalancer
(when enabled).
To access the Dashboard with basic auth disabled, follow the instructions here:
https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#command-line-proxy
Accessing Kubernetes API
------------------------

View File

@ -50,8 +50,8 @@ kube_users:
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
#kube_oidc_auth: false
#kube_basic_auth: true
#kube_token_auth: true
#kube_basic_auth: false
#kube_token_auth: false
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/

View File

@ -52,8 +52,8 @@ kube_api_runtime_config:
- admissionregistration.k8s.io/v1alpha1
## Enable/Disable Kube API Server Authentication Methods
kube_basic_auth: true
kube_token_auth: true
kube_basic_auth: false
kube_token_auth: false
kube_oidc_auth: false
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/

View File

@ -48,7 +48,7 @@ apiServerExtraArgs:
{% endif %}
storage-backend: {{ kube_apiserver_storage_backend }}
{% if kube_api_runtime_config is defined %}
runtime-config: {{ kube_api_runtime_config }}
runtime-config: {{ kube_api_runtime_config | join(',') }}
{% endif %}
allow-privileged: "true"
controllerManagerExtraArgs:

View File

@ -40,6 +40,11 @@ spec:
- --service-cluster-ip-range={{ kube_service_addresses }}
- --service-node-port-range={{ kube_apiserver_node_port_range }}
- --client-ca-file={{ kube_cert_dir }}/ca.pem
- --profiling=false
- --repair-malformed-updates=false
- --kubelet-client-certificate={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem
- --kubelet-client-key={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem
- --service-account-lookup=true
{% if kube_basic_auth|default(true) %}
- --basic-auth-file={{ kube_users_dir }}/known_users.csv
{% endif %}

View File

@ -37,9 +37,11 @@ spec:
- --node-monitor-grace-period={{ kube_controller_node_monitor_grace_period }}
- --node-monitor-period={{ kube_controller_node_monitor_period }}
- --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }}
- --profiling=false
- --terminated-pod-gc-threshold=12500
- --v={{ kube_log_level }}
{% if rbac_enabled %}
- --use-service-account-credentials
- --use-service-account-credentials=true
{% endif %}
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %}
- --cloud-provider={{cloud_provider}}

View File

@ -28,6 +28,7 @@ spec:
- scheduler
- --leader-elect=true
- --kubeconfig={{ kube_config_dir }}/kube-scheduler-kubeconfig.yaml
- --profiling=false
- --v={{ kube_log_level }}
{% if kube_feature_gates %}
- --feature-gates={{ kube_feature_gates|join(',') }}

View File

@ -14,6 +14,9 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
--pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }} \
--node-status-update-frequency={{ kubelet_status_update_frequency }} \
--docker-disable-shared-pid={{ kubelet_disable_shared_pid }} \
--client-ca-file={{ kube_cert_dir }}/ca.pem \
--tls-cert-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem \
--tls-private-key-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
{% if kube_version | version_compare('v1.6', '>=') %}
{# flag got removed with 1.7.0 #}
{% if kube_version | version_compare('v1.7', '<') %}

View File

@ -8,5 +8,5 @@
user: kube
password: "{{ lookup('password', '../../credentials/kube_user length=15 chars=ascii_letters,digits') }}"
validate_certs: no
status_code: 200
status_code: 200,401
when: not kubeadm_enabled|default(false)