Kubernetes - Do I need to some additional hardening steps?Find pod rescheduling events in Kubernetes / GKECan Kubernetes be used like Docker Compose?How can I route traffic through a custom proxy to my kubernetes container?Kubernetes vs Google Container Engine: How to use autoscaling?Authenticating Kubernetes API(NodeJS) client using certificate not successfulKubernetes dashboard tls certificates on AWSKubernetes NetworkPolicy allow loadbalancerTLS handshake timeout with kubernetes in GKEkubernetes connection refused during deploymentHow to integrate Kubernetes Service Type “LoadBalancer” with Specific Cloud Load Balancers
Summoning A Technology Based Demon
Complaints from (junior) developers against solution architects: how can we show the benefits of our work and improve relationships?
In syntax, why cannot we say things like "he took walked at the park"? but can say "he took a walk at the park"?
Accidentally deleted everything from a directory on my Macbook using terminal
Exploiting the delay when a festival ticket is scanned
8086 stack segment and avoiding overflow in interrupts
Convert graph format for Mathematica graph functions
Just how much information should you share with a former client?
Can a US President, after impeachment and removal, be re-elected or re-appointed?
Is The Venice Syndrome documentary cover photo real?
Who said "one can be a powerful king with a very small sceptre"?
Would people understand me speaking German all over Europe?
What are the closest international airports in different countries?
What is a good example for artistic ND filter applications?
Omnidirectional LED, is it possible?
A variant of the Multiple Traveling Salesman Problem
How to innovate in OR
How do I make my photos have more impact?
90s/2000s TV show : man uses government time machine to fix national problems
What would the United Kingdom's "optimal" Brexit deal look like?
How should I quote American English speakers in a British English essay?
What is the German equivalent of the proverb 水清ければ魚棲まず (if the water is clear, fish won't live there)?
Why does the Rust compiler not optimize code assuming that two mutable references cannot alias?
Why were contact sensors put on three of the Lunar Module's four legs? Did they ever bend and stick out sideways?
Kubernetes - Do I need to some additional hardening steps?
Find pod rescheduling events in Kubernetes / GKECan Kubernetes be used like Docker Compose?How can I route traffic through a custom proxy to my kubernetes container?Kubernetes vs Google Container Engine: How to use autoscaling?Authenticating Kubernetes API(NodeJS) client using certificate not successfulKubernetes dashboard tls certificates on AWSKubernetes NetworkPolicy allow loadbalancerTLS handshake timeout with kubernetes in GKEkubernetes connection refused during deploymentHow to integrate Kubernetes Service Type “LoadBalancer” with Specific Cloud Load Balancers
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Basically I'm new to kubernetes and I'm trying to create a simple nginx + php-fpm application. I've setup the deployment config, created the pods, setup some loadbalancers, etc.. Everything's working fine and I'm controlling the cluster from Google Cloud Shell (because the cluster is created on Google Cloud Platform). I want to ask if I need to do some additional steps or if my cluster is safe and secure, for example: can someone connect to it from outside by some way, etc.. I've kept the default settings while creating the cluster and I have client certificate enabled (that's a way of authentication, right?). I just want to make sure. (should it be secure by default?)
kubernetes google-kubernetes-engine asked Mar 26 at 20:40
JumpakCodingJumpakCoding
293 bronze badges
add a comment |
Basically I'm new to kubernetes and I'm trying to create a simple nginx + php-fpm application. I've setup the deployment config, created the pods, setup some loadbalancers, etc.. Everything's working fine and I'm controlling the cluster from Google Cloud Shell (because the cluster is created on Google Cloud Platform). I want to ask if I need to do some additional steps or if my cluster is safe and secure, for example: can someone connect to it from outside by some way, etc.. I've kept the default settings while creating the cluster and I have client certificate enabled (that's a way of authentication, right?). I just want to make sure. (should it be secure by default?)
kubernetes google-kubernetes-engine asked Mar 26 at 20:40
JumpakCodingJumpakCoding
293 bronze badges
1
Could you make your question a bit more specific? Right now it might help you to do a bit of research online and figure out what you want to know.
– cookiedough
Mar 26 at 20:45
Yes, I will do some research on this, but it should be secure now too, not? (it's not like it's unsecure, right?)
– JumpakCoding
Mar 26 at 20:53
You can consider using private clusters if you are worried about the node external IP's. However I am currently deploying multiple nginx, php-fpm apps on a default GKE cluster and had to complaints. I do recommend looking into your cluster design, you might want to have the connection with the external tools airtight. It would help me to assist you better if you share your infra.
– cookiedough
Mar 26 at 21:01
Umm what do you mean by "infrastructure"?
– JumpakCoding
Mar 27 at 13:37
add a comment |
Basically I'm new to kubernetes and I'm trying to create a simple nginx + php-fpm application. I've setup the deployment config, created the pods, setup some loadbalancers, etc.. Everything's working fine and I'm controlling the cluster from Google Cloud Shell (because the cluster is created on Google Cloud Platform). I want to ask if I need to do some additional steps or if my cluster is safe and secure, for example: can someone connect to it from outside by some way, etc.. I've kept the default settings while creating the cluster and I have client certificate enabled (that's a way of authentication, right?). I just want to make sure. (should it be secure by default?)
kubernetes google-kubernetes-engine asked Mar 26 at 20:40
JumpakCodingJumpakCoding
293 bronze badges
Basically I'm new to kubernetes and I'm trying to create a simple nginx + php-fpm application. I've setup the deployment config, created the pods, setup some loadbalancers, etc.. Everything's working fine and I'm controlling the cluster from Google Cloud Shell (because the cluster is created on Google Cloud Platform). I want to ask if I need to do some additional steps or if my cluster is safe and secure, for example: can someone connect to it from outside by some way, etc.. I've kept the default settings while creating the cluster and I have client certificate enabled (that's a way of authentication, right?). I just want to make sure. (should it be secure by default?)
kubernetes google-kubernetes-engine kubernetes google-kubernetes-engine asked Mar 26 at 20:40
JumpakCodingJumpakCoding
293 bronze badges
asked Mar 26 at 20:40
JumpakCodingJumpakCoding
293 bronze badges
asked Mar 26 at 20:40
JumpakCodingJumpakCoding
293 bronze badges
asked Mar 26 at 20:40
JumpakCodingJumpakCoding
293 bronze badges
asked Mar 26 at 20:40
JumpakCodingJumpakCoding
293 bronze badges
293 bronze badges
1
Could you make your question a bit more specific? Right now it might help you to do a bit of research online and figure out what you want to know.
– cookiedough
Mar 26 at 20:45
Yes, I will do some research on this, but it should be secure now too, not? (it's not like it's unsecure, right?)
– JumpakCoding
Mar 26 at 20:53
You can consider using private clusters if you are worried about the node external IP's. However I am currently deploying multiple nginx, php-fpm apps on a default GKE cluster and had to complaints. I do recommend looking into your cluster design, you might want to have the connection with the external tools airtight. It would help me to assist you better if you share your infra.
– cookiedough
Mar 26 at 21:01
Umm what do you mean by "infrastructure"?
– JumpakCoding
Mar 27 at 13:37
add a comment |
1
Could you make your question a bit more specific? Right now it might help you to do a bit of research online and figure out what you want to know.
– cookiedough
Mar 26 at 20:45
Yes, I will do some research on this, but it should be secure now too, not? (it's not like it's unsecure, right?)
– JumpakCoding
Mar 26 at 20:53
You can consider using private clusters if you are worried about the node external IP's. However I am currently deploying multiple nginx, php-fpm apps on a default GKE cluster and had to complaints. I do recommend looking into your cluster design, you might want to have the connection with the external tools airtight. It would help me to assist you better if you share your infra.
– cookiedough
Mar 26 at 21:01
Umm what do you mean by "infrastructure"?
– JumpakCoding
Mar 27 at 13:37
1
1
Could you make your question a bit more specific? Right now it might help you to do a bit of research online and figure out what you want to know.
– cookiedough
Mar 26 at 20:45
Could you make your question a bit more specific? Right now it might help you to do a bit of research online and figure out what you want to know.
– cookiedough
Mar 26 at 20:45
Yes, I will do some research on this, but it should be secure now too, not? (it's not like it's unsecure, right?)
– JumpakCoding
Mar 26 at 20:53
Yes, I will do some research on this, but it should be secure now too, not? (it's not like it's unsecure, right?)
– JumpakCoding
Mar 26 at 20:53
You can consider using private clusters if you are worried about the node external IP's. However I am currently deploying multiple nginx, php-fpm apps on a default GKE cluster and had to complaints. I do recommend looking into your cluster design, you might want to have the connection with the external tools airtight. It would help me to assist you better if you share your infra.
– cookiedough
Mar 26 at 21:01
You can consider using private clusters if you are worried about the node external IP's. However I am currently deploying multiple nginx, php-fpm apps on a default GKE cluster and had to complaints. I do recommend looking into your cluster design, you might want to have the connection with the external tools airtight. It would help me to assist you better if you share your infra.
– cookiedough
Mar 26 at 21:01
Umm what do you mean by "infrastructure"?
– JumpakCoding
Mar 27 at 13:37
Umm what do you mean by "infrastructure"?
– JumpakCoding
Mar 27 at 13:37
add a comment |
1 Answer
1
active
oldest
votes
Consider what exactly you are "hardening" against; you can consider security from two contexts: application and cluster. They are usually decoupled, but can cause some serious problems if either gets compromised.
For cluster security, there are many options on GKE to restrict access to your cluster that covers the majority of use-cases. You can use RBAC (Role-based access control) to limit user and service account permissions and prevent unauthorized access/modification to your cluster resources. Additionally, if you use external tool (eg. Helm), you will need to secure these individually. By default, only those with the client certificate should be able to access your master. If you share the certificate, or if another user in your Google Organizations account has the IAM permissions to access your cluster, they could also grab permissions from the Google Cloud CLI. A good cluster security enforcement can greatly mitigate the effects of a compromised container/pod.
For application security, follow the best practices for deploying containerized applications and secret management. Basically secure your nginx and php as you would on traditional servers.
Hope this helps!
edited Mar 27 at 10:12
Adrian nieto macias
706 bronze badges
answered Mar 26 at 21:08
Frank Yucheng GuFrank Yucheng Gu
1,11513 bronze badges
I'm hardening against "cluster security", so if I keep the cluster like this and make sure I hide the certificate from anyone and someone gets the IP addresses of the clusters (in the outside internet) it should be secure, and no one can connect to it unless I share the client certificate or someone gets into my Google Cloud Platform account, do I understand it correctly? By connecting to the cluster I mean someone connecting to it for example using kubectl and controlling something..
– JumpakCoding
Mar 27 at 13:35
For a GKE cluster, it should be sufficiently robust for what you hope to accomplish; just be careful when using external tools like Helm/Tiller. Your understanding is correct.
– Frank Yucheng Gu
Mar 27 at 15:48
Yes I don't use any external tools.
– JumpakCoding
Mar 27 at 16:49
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55365860%2fkubernetes-do-i-need-to-some-additional-hardening-steps%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Consider what exactly you are "hardening" against; you can consider security from two contexts: application and cluster. They are usually decoupled, but can cause some serious problems if either gets compromised.
For cluster security, there are many options on GKE to restrict access to your cluster that covers the majority of use-cases. You can use RBAC (Role-based access control) to limit user and service account permissions and prevent unauthorized access/modification to your cluster resources. Additionally, if you use external tool (eg. Helm), you will need to secure these individually. By default, only those with the client certificate should be able to access your master. If you share the certificate, or if another user in your Google Organizations account has the IAM permissions to access your cluster, they could also grab permissions from the Google Cloud CLI. A good cluster security enforcement can greatly mitigate the effects of a compromised container/pod.
For application security, follow the best practices for deploying containerized applications and secret management. Basically secure your nginx and php as you would on traditional servers.
Hope this helps!
edited Mar 27 at 10:12
Adrian nieto macias
706 bronze badges
answered Mar 26 at 21:08
Frank Yucheng GuFrank Yucheng Gu
1,11513 bronze badges
I'm hardening against "cluster security", so if I keep the cluster like this and make sure I hide the certificate from anyone and someone gets the IP addresses of the clusters (in the outside internet) it should be secure, and no one can connect to it unless I share the client certificate or someone gets into my Google Cloud Platform account, do I understand it correctly? By connecting to the cluster I mean someone connecting to it for example using kubectl and controlling something..
– JumpakCoding
Mar 27 at 13:35
For a GKE cluster, it should be sufficiently robust for what you hope to accomplish; just be careful when using external tools like Helm/Tiller. Your understanding is correct.
– Frank Yucheng Gu
Mar 27 at 15:48
Yes I don't use any external tools.
– JumpakCoding
Mar 27 at 16:49
add a comment |
Consider what exactly you are "hardening" against; you can consider security from two contexts: application and cluster. They are usually decoupled, but can cause some serious problems if either gets compromised.
For cluster security, there are many options on GKE to restrict access to your cluster that covers the majority of use-cases. You can use RBAC (Role-based access control) to limit user and service account permissions and prevent unauthorized access/modification to your cluster resources. Additionally, if you use external tool (eg. Helm), you will need to secure these individually. By default, only those with the client certificate should be able to access your master. If you share the certificate, or if another user in your Google Organizations account has the IAM permissions to access your cluster, they could also grab permissions from the Google Cloud CLI. A good cluster security enforcement can greatly mitigate the effects of a compromised container/pod.
For application security, follow the best practices for deploying containerized applications and secret management. Basically secure your nginx and php as you would on traditional servers.
Hope this helps!
edited Mar 27 at 10:12
Adrian nieto macias
706 bronze badges
answered Mar 26 at 21:08
Frank Yucheng GuFrank Yucheng Gu
1,11513 bronze badges
I'm hardening against "cluster security", so if I keep the cluster like this and make sure I hide the certificate from anyone and someone gets the IP addresses of the clusters (in the outside internet) it should be secure, and no one can connect to it unless I share the client certificate or someone gets into my Google Cloud Platform account, do I understand it correctly? By connecting to the cluster I mean someone connecting to it for example using kubectl and controlling something..
– JumpakCoding
Mar 27 at 13:35
For a GKE cluster, it should be sufficiently robust for what you hope to accomplish; just be careful when using external tools like Helm/Tiller. Your understanding is correct.
– Frank Yucheng Gu
Mar 27 at 15:48
Yes I don't use any external tools.
– JumpakCoding
Mar 27 at 16:49
add a comment |
Consider what exactly you are "hardening" against; you can consider security from two contexts: application and cluster. They are usually decoupled, but can cause some serious problems if either gets compromised.
For cluster security, there are many options on GKE to restrict access to your cluster that covers the majority of use-cases. You can use RBAC (Role-based access control) to limit user and service account permissions and prevent unauthorized access/modification to your cluster resources. Additionally, if you use external tool (eg. Helm), you will need to secure these individually. By default, only those with the client certificate should be able to access your master. If you share the certificate, or if another user in your Google Organizations account has the IAM permissions to access your cluster, they could also grab permissions from the Google Cloud CLI. A good cluster security enforcement can greatly mitigate the effects of a compromised container/pod.
For application security, follow the best practices for deploying containerized applications and secret management. Basically secure your nginx and php as you would on traditional servers.
Hope this helps!
edited Mar 27 at 10:12
Adrian nieto macias
706 bronze badges
answered Mar 26 at 21:08
Frank Yucheng GuFrank Yucheng Gu
1,11513 bronze badges
Consider what exactly you are "hardening" against; you can consider security from two contexts: application and cluster. They are usually decoupled, but can cause some serious problems if either gets compromised.
For cluster security, there are many options on GKE to restrict access to your cluster that covers the majority of use-cases. You can use RBAC (Role-based access control) to limit user and service account permissions and prevent unauthorized access/modification to your cluster resources. Additionally, if you use external tool (eg. Helm), you will need to secure these individually. By default, only those with the client certificate should be able to access your master. If you share the certificate, or if another user in your Google Organizations account has the IAM permissions to access your cluster, they could also grab permissions from the Google Cloud CLI. A good cluster security enforcement can greatly mitigate the effects of a compromised container/pod.
For application security, follow the best practices for deploying containerized applications and secret management. Basically secure your nginx and php as you would on traditional servers.
Hope this helps!
edited Mar 27 at 10:12
Adrian nieto macias
706 bronze badges
answered Mar 26 at 21:08
Frank Yucheng GuFrank Yucheng Gu
1,11513 bronze badges
edited Mar 27 at 10:12
Adrian nieto macias
706 bronze badges
edited Mar 27 at 10:12
Adrian nieto macias
706 bronze badges
edited Mar 27 at 10:12
Adrian nieto macias
706 bronze badges
706 bronze badges
answered Mar 26 at 21:08
Frank Yucheng GuFrank Yucheng Gu
1,11513 bronze badges
answered Mar 26 at 21:08
Frank Yucheng GuFrank Yucheng Gu
1,11513 bronze badges
answered Mar 26 at 21:08
Frank Yucheng GuFrank Yucheng Gu
1,11513 bronze badges
1,11513 bronze badges
I'm hardening against "cluster security", so if I keep the cluster like this and make sure I hide the certificate from anyone and someone gets the IP addresses of the clusters (in the outside internet) it should be secure, and no one can connect to it unless I share the client certificate or someone gets into my Google Cloud Platform account, do I understand it correctly? By connecting to the cluster I mean someone connecting to it for example using kubectl and controlling something..
– JumpakCoding
Mar 27 at 13:35
For a GKE cluster, it should be sufficiently robust for what you hope to accomplish; just be careful when using external tools like Helm/Tiller. Your understanding is correct.
– Frank Yucheng Gu
Mar 27 at 15:48
Yes I don't use any external tools.
– JumpakCoding
Mar 27 at 16:49
add a comment |
I'm hardening against "cluster security", so if I keep the cluster like this and make sure I hide the certificate from anyone and someone gets the IP addresses of the clusters (in the outside internet) it should be secure, and no one can connect to it unless I share the client certificate or someone gets into my Google Cloud Platform account, do I understand it correctly? By connecting to the cluster I mean someone connecting to it for example using kubectl and controlling something..
– JumpakCoding
Mar 27 at 13:35
For a GKE cluster, it should be sufficiently robust for what you hope to accomplish; just be careful when using external tools like Helm/Tiller. Your understanding is correct.
– Frank Yucheng Gu
Mar 27 at 15:48
Yes I don't use any external tools.
– JumpakCoding
Mar 27 at 16:49
I'm hardening against "cluster security", so if I keep the cluster like this and make sure I hide the certificate from anyone and someone gets the IP addresses of the clusters (in the outside internet) it should be secure, and no one can connect to it unless I share the client certificate or someone gets into my Google Cloud Platform account, do I understand it correctly? By connecting to the cluster I mean someone connecting to it for example using kubectl and controlling something..
– JumpakCoding
Mar 27 at 13:35
I'm hardening against "cluster security", so if I keep the cluster like this and make sure I hide the certificate from anyone and someone gets the IP addresses of the clusters (in the outside internet) it should be secure, and no one can connect to it unless I share the client certificate or someone gets into my Google Cloud Platform account, do I understand it correctly? By connecting to the cluster I mean someone connecting to it for example using kubectl and controlling something..
– JumpakCoding
Mar 27 at 13:35
For a GKE cluster, it should be sufficiently robust for what you hope to accomplish; just be careful when using external tools like Helm/Tiller. Your understanding is correct.
– Frank Yucheng Gu
Mar 27 at 15:48
For a GKE cluster, it should be sufficiently robust for what you hope to accomplish; just be careful when using external tools like Helm/Tiller. Your understanding is correct.
– Frank Yucheng Gu
Mar 27 at 15:48
Yes I don't use any external tools.
– JumpakCoding
Mar 27 at 16:49
Yes I don't use any external tools.
– JumpakCoding
Mar 27 at 16:49
add a comment |
Got a question that you can’t ask on public Stack Overflow? Learn more about sharing private information with Stack Overflow for Teams.
Got a question that you can’t ask on public Stack Overflow? Learn more about sharing private information with Stack Overflow for Teams.
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55365860%2fkubernetes-do-i-need-to-some-additional-hardening-steps%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Could you make your question a bit more specific? Right now it might help you to do a bit of research online and figure out what you want to know.
– cookiedough
Mar 26 at 20:45
Yes, I will do some research on this, but it should be secure now too, not? (it's not like it's unsecure, right?)
– JumpakCoding
Mar 26 at 20:53
You can consider using private clusters if you are worried about the node external IP's. However I am currently deploying multiple nginx, php-fpm apps on a default GKE cluster and had to complaints. I do recommend looking into your cluster design, you might want to have the connection with the external tools airtight. It would help me to assist you better if you share your infra.
– cookiedough
Mar 26 at 21:01
Umm what do you mean by "infrastructure"?
– JumpakCoding
Mar 27 at 13:37