How to disable kubectl insecure approval towards the kube apiserver

kubernetes kubeadm

Solution 1:

My problem is it also works if I remove the CAs or I have wrongly CAs and simply I apply the flag --insecure-skip-tls-verify.

Using --insecure-skip-tls-verify is highly NOT RECOMMENDED in production environment. It can be used when you want to do some local tests or for learning purpose.

In Kubectl documentation you have information:

--insecure-skip-tls-verify

If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure

So, if this flag will be set as true, it will always skip certs and identity of server is not checked at all. It's similar to curl -k

-k, --insecure
              (TLS) By default, every SSL connection curl makes is verified to
              The  server  connection  is verified by making sure the server's
              interface name, IP address or host name.

You can secure your cluster in many ways but it depends on scenario. However, there are some main API server ports and IPs concepts:

Use SecurePort

By default the Kubernetes API server serves HTTP on 2 ports:

  1. localhost port:
  • is intended for testing and bootstrap, and for other components of the master >node (scheduler, controller-manager) to talk to the API
  • no TLS
  • Disable insecure http connections: default is port 8080, change with --insecure-port flag. (It can be disabled by --insecure-port=0)
  • default IP is localhost, change with --insecure-bind-address flag. (Remove --insecure-bind-address)
  • request bypasses authentication and authorization modules.
  • request handled by admission control module(s).
  • protected by need to have host access
  1. Secure port:
  • use whenever possible Enable secure port:
  • uses TLS. Set cert with --tls-cert-file and key with --tls-private-key-file flag.
  • default is port 6443, change with --secure-port flag.
  • default IP is first non-localhost network interface, change with --bind-address flag.
  • request handled by authentication and authorization modules.
  • request handled by admission control module(s).
  • authentication and authorization modules run.

Restrict API access, meaning you should allow access to your api only from specific IP or specific IP range (authorized networks). It shouldn't be accessible from the outside of the world. To do it, you may use firewall rules or Network Policy.

Turn off Anonymouse Requests, which you already did.

You can look into --insecure-port=0, however it should be deprecated in newer versions.

As an additional information, I would advise you to check Kubernetes The Hard Way, especially 3 chapters: Provisioning Compute Resources, Provisioning the CA and Generating TLS Certificates, Generating Kubernetes Configuration Files for Authentication. You can find there some best practices.

Very good explanation of the Kube API-server flags you can find in this article

Useful links about Cluster Security:

The Basics of Keeping Kubernetes Clusters Secure - How to secure the kube-apiserver

Controlling Access to the Kubernetes API

Kubernetes security best practices

Kubernetes Security 101: Risks and 29 Best Practices

Controlling Access to the Kubernetes API

Accessing Clusters

Related

Nginx removes post data with content-type header
How to prefer LAN range IPv6 addresses?
GCP BigQuery fedarated query to cloudsql gives connection not found error
Is it possible to use a auth_basic password protection using linux users and passwords?
Is it possible to install Windows 10 on a ubuntu VPS using SSH?
SSL Errors on iOS
Server Reached MaxRequestWorkers Setting
how does isc-dhcp-server start on debian 10 with systemd
nginx detecting dead clients
Block all outgoing ssh traffic
Docker change existing stack to start with user namespace but keep images, volumes and containers
How to generate CSR for multi-domain (UCC) purchased SSL certificate?