tarmak icon indicating copy to clipboard operation
tarmak copied to clipboard
verified publisher icon jetstack

Lock down access of the API server proxy through iptables

Open simonswine opened this issue 6 years ago • 0 comments

Is this a BUG REPORT or FEATURE REQUEST?:

/kind feature

What happened:

API server is quite vulnerable to attacks that setup arbitrary IP addresses (cf https://github.com/kubernetes/kubernetes/pull/71980 / #670) on status.podIP / hostIP. We should lock down access of the API server

What you expected to happen:

I expect us to limit all outgoing connection of the apiserver by using a custom kubernetes-apiserver UID and limit it's processes through iptables to lock down access to certain destinations only. These destinations should be allowed:

  • APIserver - etcd ports + vpc IPs
  • All protocols/ports pod IPs
  • OIDC servers (?!)
  • more things I am not thinking about (?!)

I would suggest to do a reject instead of a drop

Anything else we need to know?:

Maybe help full to setup a logging iptables rule before rejecting packages

simonswine avatar Jan 08 '19 10:01 simonswine