kubectl exec vs ssh using bastion

Question

KOPS lets us create a Kubernetes cluster along with a bastion that has ssh access to the cluster nodes

With this setup is it still considered safe to use kubectl to interact with the Kubernetes API server?

kubectl can also be used to interact with shell on the pods? Does this need any restrictions?

What are the precautionary steps that need to be taken if any? Should the Kubernetes API server also be made accessible only through the bastion?

Answer 1

Deploying a Kubernetes cluster with the default Kops settings isn’t secure at all and shouldn’t be used in production as such. There are multiple configuration settings that can be done using kops edit command. Following points should be considered after creating a Kubnertes Cluster via Kops:

• Cluster Nodes in Private Subnets (existing private subnets can be specified using --subnets with the latest version of kops)
• Private API LoadBalancer (--api-loadbalancer-type internal)
• Restrict API Loadbalancer to certain private IP range (--admin-access 10.xx.xx.xx/24)
• Restrict SSH access to Cluster Node to particular IP (--ssh-access xx.xx.xx.xx/32)
• Hardened Image can also be provisioned as Cluster Nodes (--image )
• Authorization level must be RBAC. With latest Kubernetes version, RBAC is enabled by default.
• The Audit logs can be enabled via configuration in Kops edit cluster. kubeAPIServer: auditLogMaxAge: 10 auditLogMaxBackups: 1 auditLogMaxSize: 100 auditLogPath: /var/log/kube-apiserver-audit.log auditPolicyFile: /srv/kubernetes/audit.yaml