Kubernetes 101 : Securing the Kubelet



The kubelet is a service that runs on all the nodes of the kubernetes cluster, among its tasks:
  • registering nodes.
  • creating pods.
  • monitoring pods.
  • monitoring nodes.
The kubelet is configured as a service on the hosts. 
Below is a snippet of its configuration file "kubelet.service":


To see all the parameters the kubelet uses, we look at the output of the below command:


We can see the parameters of the kubelet such as the config file:
"--config=/var/lib/kubelet/config.yaml" - could also be seen in the "kubelet.service" file above. 

Instead of having all the parameter in the "kubelet.service" file, we put them in the config file and we mention the file as the parameter "--config".

Below is a generic example of a config file and its parameters:


The kubelet uses two ports to receive the requests coming from the API-server:
  • 10250 : is used for requests coming from the API-server
  • 10255 : is used for read-only access - for unauthenticated requests -
To block anonymous unauthorized access to the kubelet, we set the below parameters in the Yaml file:


This way, any user will need to be authenticated either using an X509 certificate or a bearer token.

We can also disable the read-only port on the kubelet, by setting the below value in the Yaml configuration file to "0":

Comments

Leave as a comment:

Archive