Skip to content
This repository has been archived by the owner on Jan 9, 2023. It is now read-only.

Lock down access of the API server proxy through iptables #672

Open
simonswine opened this issue Jan 8, 2019 · 0 comments
Open

Lock down access of the API server proxy through iptables #672

simonswine opened this issue Jan 8, 2019 · 0 comments
Labels
area/security kind/feature Categorizes issue or PR as related to a new feature. priority/P0

Comments

@simonswine
Copy link
Contributor

simonswine commented Jan 8, 2019
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST?:

/kind feature

What happened:

API server is quite vulnerable to attacks that setup arbitrary IP addresses (cf kubernetes/kubernetes#71980 / #670) on status.podIP / hostIP. We should lock down access of the API server

What you expected to happen:

I expect us to limit all outgoing connection of the apiserver by using a custom kubernetes-apiserver UID and limit it's processes through iptables to lock down access to certain destinations only. These destinations should be allowed:

  • APIserver - etcd ports + vpc IPs
  • All protocols/ports pod IPs
  • OIDC servers (?!)
  • more things I am not thinking about (?!)

I would suggest to do a reject instead of a drop

Anything else we need to know?:

Maybe help full to setup a logging iptables rule before rejecting packages
@jetstack-bot jetstack-bot added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/security kind/feature Categorizes issue or PR as related to a new feature. priority/P0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@simonswine @jetstack-bot