"Software developer with a kaizen mindset"

Securing k8s a little

Saturday May 8, 2021 | Series Kubernetes

After upgrading my cluster to 1.20.5 I had to move to the secure port and start to use authentication because of it. While I found a way to open everything up where it was easier to use (as a homelab) it is very insecure.

This post is to take a tiny step to securing the apiserver.

Removing the insecure-skip-tls-verify

Take the ca.crt that we created during K8s The Hard Way and add it to our trust store.

trust anchor ca.crt 
update-ca-trust

Remove the ca.cert from /etc/kubernetes/pki if you had it there, we don’t need it any longer.

Now we can change your kubelet.kubeconfig to the following in all places:

apiVersion: v1
kind: Config
clusters:
  - cluster:
      server: https://{server-hostname}:6443/
    name: local
contexts:
  - context:
      cluster: local
      user: local
    name: local
current-context: local
users:
- name: local
  user:
    username: system:anonymous
    password: a

Now at least we’re verifying that the certificate is the valid self-signed certificate and the apiserver is still (more likely) to be the same one we trust.

Enjoyed this? Read more in the Kubernetes series.
Share on:
Support:

Comments