k8s ex02: Security – Overall view

We’re concentrating on kubernetes function so far, and have not taken much consideration on the security. I’m going to introduce security features into our kubernetes cluster in the following posts.

Existing setup

There is no authentication/authorization deployed in APIserver , hence any request can be processed(e.g. any kubectl request, any node join request) as long it knows the ip address of APIserver.

What’s worse, those communication is not encrypted and it can be easily sniffed on the wire.

As the nature of kubernetes, API server is the hub of all information. So protecting security is all around API server. Let’s see how API server is structured in terms of security.

API server security structure

API server listens the request on two ports, one for HTTP and the other for HTTPS. On HTTP port, authentication and authorisation are skipped. You can find the detail here in the official document.