api - 允许 Gitlab 集成的安全 Kubernetes API

Question

我想在私有(private)机器上配置 Kubernetes 以使用 Gitlab CI/CD 工具。目的只是用 Gitlab 试验几天。
将此设置用于生产是毫无疑问的。我希望您能帮助保护 Kubernetes API。我不需要防黑客的解决方案，但至少我希望 API 不会暴露给即使是天真的恶意用户。这台机器连接到一个专用网络，所以我无法想象除了一台刚刚重置的旧机器会在几天内关闭之外，还有什么会被黑客入侵。
到目前为止，我已经能够设置 Minikube，创建一个 kube 代理并将其公开给 Gitlab。整合已经成功。
但是，我注意到 Kubernetes API 向任何人公开。例如，任何人都可以访问 https://my-ip.com:port/api/v1/namespaces/default/pods .我应该如何保护 API 以便 gitlab 可以连接到集群( following this method )但没有证书或 token 的其他人不能访问集群？
我用 CA 证书和服务 token 设置了 Gitlab，但我想它不需要它，因为 Kubernetes API 看起来是公开的。

Answer 1

您不必使用 kube-proxy公开集群。您应该阅读 Accessing services running on the cluster这是提到如何连接到集群的方式。

Access services through public IPs.

• Use a service with type NodePort or LoadBalancer to make the service reachable outside the cluster. See the services and kubectl expose documentation.
• Depending on your cluster environment, this may just expose the service to your corporate network, or it may expose it to the internet. Think about whether the service being exposed is secure. Does it do its own authentication?
• Place pods behind services. To access one specific pod from a set of replicas, such as for debugging, place a unique label on the pod and create a new service which selects this label.
• In most cases, it should not be necessary for application developer to directly access nodes via their nodeIPs.

Access services, nodes, or pods using the Proxy Verb.

• Does apiserver authentication and authorization prior to accessing the remote service. Use this if the services are not secure enough to expose to the internet, or to gain access to ports on the node IP, or for debugging.
• Proxies may cause problems for some web applications.
• Only works for HTTP/HTTPS.
• Described here.

Access from a node or pod in the cluster.

• Run a pod, and then connect to a shell in it using kubectl exec. Connect to other nodes, pods, and services from that shell.
• Some clusters may allow you to ssh to a node in the cluster. From there you may be able to access cluster services. This is a non-standard method, and will work on some clusters but not others. Browsers and other tools may or may not be installed. Cluster DNS may not work.

我也推荐阅读 Kubernetes Security 101: Risks and 29 Best Practices和 Securely configure the Kubernetes API server .
例如更改 default命名空间并使用不同的命名空间来隔离应用程序。使用 TLS并启用 RBAC。