CozyFex
Posts Tags Categories English
CozyFex

Contents

Kubernetes Kubelet Security

CozyFex included in kubernetes k8s orchestration
   258 words   2 minutes 

kubelet Port

PortDescription
10250Serves API that allows full access
10255Serves API that allows unauthenticated read-only access

10250

1

curl -sk https://localhost:10250/pods/

1

curl -sk https://localhost:10255/metrics

10255

1

curl -sk https://localhost:10255/pods/

1

curl -sk https://localhost:10255/metrics

kubelet Authentication

Anonymous

kubelet.service

1
2
3
4

ExecStart=/usr/local/bin/kubelet \\
  ...
  --anonymous-auth=false
  ...

kubelet-config.yaml

1
2
3
4
5

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
authentication:
  anonymous:
    enabled: false

Certificates

kubelet.service

1
2
3
4

ExecStart=/usr/local/bin/kubelet \\
  ...
  --client-ca-file=/path/to/ca.crt \\
  ...

kubelet-config.yaml

1
2
3
4
5

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
authentication:
  x509:
    clientCAFile: /path/to/ca.crt

Call API

Command Way
1

curl -sk https://localhost:10250/pods/ -key kubelet-key.pem -cert kubelet-cert.pem
kube-apiserver Configuration

Add below options

1
2

  --kubelet-client-certificate=/path/to/kubelet-cert.pem
  --kubelet-client-key=/path/to/kubelet-key.pem

kubelet Authorization

Default Authorization Mode

kubelet.service

1
2
3
4

ExecStart=/usr/local/bin/kubelet \\
  ...
  --authorization-mode=AlwaysAllow 
  ...

kubelet-config.yaml

1
2
3
4

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
authentication:
  mode: AlwaysAllow

Webhook Authorization Mode

kubelet.service

1
2
3
4

ExecStart=/usr/local/bin/kubelet \\
  ...
  --authorization-mode=Webhook
  ...

kubelet-config.yaml

1
2
3
4

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
authentication:
  mode: Webhook

kubelet Read Only

Default

kubelet.service

1
2
3
4

ExecStart=/usr/local/bin/kubelet \\
  ...
  --read-only-port=10255
  ...

kubelet-config.yaml

1
2
3

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
readOnlyPort: 10255

Disable Read Only

kubelet.service

1
2
3
4

ExecStart=/usr/local/bin/kubelet \\
  ...
  --read-only-port=0
  ...

kubelet-config.yaml

1
2
3

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
readOnlyPort: 0

kubelet Security Summary

kubelet.service

1
2
3
4
5
6
7

ExecStart=/usr/local/bin/kubelet \\
  ...
  --anonymous-auth=false \\
  --client-ca-file=/path/to/ca.crt \\
  --authorization-mode=Webhook 
  --read-only-port=0
  ...

kubelet-config.yaml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
authentication:
  anonymous:
    enabled: false
  x509:
    clientCAFile: /path/to/ca.crt
authorization:
  mode: Webhook
readOnlyPort: 0
Updated on 2021-07-04
Read Markdown
 kuberneteskubeletsecurity
Back | Home