Get most services out of the default interface #88

ktsakalozos · 2018-08-13T12:33:35Z

Ports still used on the default interface:

Port	Service	Access Restrictions
16443	API server	SSL encrypted. Clients need to present a valid password from a Static Password File.
10250	kubelet	Anonymous authentication is disabled. X509 client certificate is required.
10255	kubelet	Read only port for the Kubelet.
random	kube-proxy	One random port per hosted service is opened as we use `--proxy-mode=userspace` for compatibility reasons.

If you remove --proxy-mode from /var/snap/microk8s/current/args/kube-proxy and sudo systemctl restart snap.microk8s.daemon-proxy kube-proxy will stop exposing the cluster hosted services.

tvansteenburgh

Looks good, just a few updates needed.

tvansteenburgh · 2018-09-11T13:01:18Z

README.md

@@ -13,7 +13,7 @@ snap install microk8s --classic --beta
 ```

 > At this time microk8s is an early beta, while this should be safe to install please beware.
-> In order to install microk8s make sure port 8080 is not used.
+> There are a few ports that need to be open for microk8s to install successfully. 8080 and 6443 are the most common ones. Please go though the [list of used ports](docs/ports.md) and the security implications involved in installing microk8s.


s/open/available/

tvansteenburgh · 2018-09-11T13:01:34Z

docs/ports.md

+
+For now microk8s is meant to be used for local development thus certain security issues are not addressed at this point. Here we present the ports and sockets each service uses as well as the default authorisation and authentication configuration.
+
+Services can be placed in two groups based on the network interface they are bind to. Services binding to the localhost interface are only available from within the host and we take no action to protect them. Services binding to the default host interface are available from outside the host and thus we enforce some form of access restrictions. The ports used by both types of services need to be free so that microk8s starts successfully.


"interface they are bound to" or "interface they bind to"

tvansteenburgh · 2018-09-11T13:04:03Z

docs/ports.md

+
+Services can be placed in two groups based on the network interface they are bind to. Services binding to the localhost interface are only available from within the host and we take no action to protect them. Services binding to the default host interface are available from outside the host and thus we enforce some form of access restrictions. The ports used by both types of services need to be free so that microk8s starts successfully.
+
+### Services Binging to the Default Host Interface


s/Binging/Binding/

tvansteenburgh · 2018-09-11T13:04:32Z

docs/ports.md

+If you remove `--proxy-mode` from `/var/snap/microk8s/current/args/kube-proxy` and `sudo systemctl restart snap.microk8s.daemon-proxy` kube-proxy will stop exposing the cluster hosted services.
+
+
+### Services Binging to the localhost Interface


s/Binging/Binding/

tvansteenburgh · 2018-09-11T13:06:12Z

docs/ports.md

+
+## Authentication and Authorization
+
+Upon a new deployment microk8s creates a new CA, a signed server certificate and a service account key file. These files are stored under `/var/microk8s/current/certs`. Kubelet an the API server are aware of the same CA and so the signed server certificate is used by the API server to authenticate with kubelet (`--kubelet-client-certificate`). Clients talking to the secure port of the API server (`6443`) have to also be aware of the CA (`certificate-authority-data` in user kubeconfig).


Kubelet and the API server...

tvansteenburgh · 2018-09-11T13:12:05Z

snapcraft.yaml.orig

@@ -0,0 +1,200 @@
+name: microk8s


Is this file (snapcraft.yaml.orig) supposed to be here?

nilbot · 2019-02-07T16:50:11Z

Can we test this PR by running the following? Referencing comments in #110 I'm however getting this message:

➜  sudo snap install microk8s --classic  --channel=1.13/edge/security-testing
microk8s (1.13/edge) v1.13.3 from Canonical✓ installed
Channel 1.13/edge/security-testing for microk8s is closed; temporarily forwarding to 1.13/edge.

When inspected the changes are not included in the 1.13/edge channel, unfortunately.

I would like to test this PR (preferably by running snap install command without --dangerous).

ktsakalozos · 2019-02-08T16:52:05Z

I would like to test this PR

@nilbot The channel 1.13/edge/security-testing was a temporary one. I had to re-upload a new snap package. You can now try:

sudo snap install microk8s --classic --channel=1.13/edge/security-testing

ktsakalozos · 2019-02-15T06:42:45Z

Closing this in favor of #323

ktsakalozos force-pushed the feature/access branch 2 times, most recently from df6cf5f to 908b9f3 Compare September 5, 2018 10:14

tvansteenburgh suggested changes Sep 11, 2018

View reviewed changes

ktsakalozos mentioned this pull request Sep 14, 2018

Security: don't bind to insecure address by default #110

Closed

ktsakalozos mentioned this pull request Dec 18, 2018

Error out of disk space when install in a LXC container #65

Closed

ktsakalozos force-pushed the feature/access branch from 908b9f3 to 0597630 Compare January 1, 2019 23:05

ktsakalozos mentioned this pull request Jan 20, 2019

NodePort restrictions? #284

Closed

ktsakalozos added 8 commits February 14, 2019 14:01

Securing microk8s services

f1652f6

Refactor registry and istio to use new client cred

c32bc1e

Documenting ports etc

b6a09c4

Rebase and move away from 8080 and 6443 ports

75dd5d6

Doc fixes

cad4b43

Fix snapcraft.yaml

dae9e38

Move back to 8080 port for backwards compatibility

40a3663

Use openssl on the host for installtion

f130b85

ktsakalozos force-pushed the feature/access branch from cc5e232 to f130b85 Compare February 14, 2019 12:01

ktsakalozos closed this Feb 15, 2019

ktsakalozos deleted the feature/access branch June 20, 2019 08:27

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Get most services out of the default interface #88

Get most services out of the default interface #88

ktsakalozos commented Aug 13, 2018 •

edited

tvansteenburgh left a comment

tvansteenburgh Sep 11, 2018

tvansteenburgh Sep 11, 2018

tvansteenburgh Sep 11, 2018

tvansteenburgh Sep 11, 2018

tvansteenburgh Sep 11, 2018

tvansteenburgh Sep 11, 2018

nilbot commented Feb 7, 2019 •

edited

ktsakalozos commented Feb 8, 2019

ktsakalozos commented Feb 15, 2019


		For now microk8s is meant to be used for local development thus certain security issues are not addressed at this point. Here we present the ports and sockets each service uses as well as the default authorisation and authentication configuration.

		Services can be placed in two groups based on the network interface they are bind to. Services binding to the localhost interface are only available from within the host and we take no action to protect them. Services binding to the default host interface are available from outside the host and thus we enforce some form of access restrictions. The ports used by both types of services need to be free so that microk8s starts successfully.


		Services can be placed in two groups based on the network interface they are bind to. Services binding to the localhost interface are only available from within the host and we take no action to protect them. Services binding to the default host interface are available from outside the host and thus we enforce some form of access restrictions. The ports used by both types of services need to be free so that microk8s starts successfully.

		### Services Binging to the Default Host Interface

		If you remove `--proxy-mode` from `/var/snap/microk8s/current/args/kube-proxy` and `sudo systemctl restart snap.microk8s.daemon-proxy` kube-proxy will stop exposing the cluster hosted services.


		### Services Binging to the localhost Interface


		## Authentication and Authorization

		Upon a new deployment microk8s creates a new CA, a signed server certificate and a service account key file. These files are stored under `/var/microk8s/current/certs`. Kubelet an the API server are aware of the same CA and so the signed server certificate is used by the API server to authenticate with kubelet (`--kubelet-client-certificate`). Clients talking to the secure port of the API server (`6443`) have to also be aware of the CA (`certificate-authority-data` in user kubeconfig).

Get most services out of the default interface #88

Get most services out of the default interface #88

Conversation

ktsakalozos commented Aug 13, 2018 • edited

tvansteenburgh left a comment

Choose a reason for hiding this comment

tvansteenburgh Sep 11, 2018

Choose a reason for hiding this comment

tvansteenburgh Sep 11, 2018

Choose a reason for hiding this comment

tvansteenburgh Sep 11, 2018

Choose a reason for hiding this comment

tvansteenburgh Sep 11, 2018

Choose a reason for hiding this comment

tvansteenburgh Sep 11, 2018

Choose a reason for hiding this comment

tvansteenburgh Sep 11, 2018

Choose a reason for hiding this comment

nilbot commented Feb 7, 2019 • edited

ktsakalozos commented Feb 8, 2019

ktsakalozos commented Feb 15, 2019

ktsakalozos commented Aug 13, 2018 •

edited

nilbot commented Feb 7, 2019 •

edited