Skip to content

Instantly share code, notes, and snippets.

@gbevan
Last active February 5, 2019 05:50
Show Gist options
  • Save gbevan/5e863f1ba90d3e0bc42062ce6bf9b9a7 to your computer and use it in GitHub Desktop.
Save gbevan/5e863f1ba90d3e0bc42062ce6bf9b9a7 to your computer and use it in GitHub Desktop.
Secure microk8s api via proxy

Securing Microk8s API access via kube-proxy on https port 6443 (blocking http/8080)

  1. Instead of setting iptables FORWARD default policy to ACCEPT, leave as DROP and follow this gist
  2. Configure explicit permit rules in /etc/iptables.conf (from above gist), e.g.
# Allow internal private k8s IPs to talk
-A FILTERS -m state --state NEW -s 10.0.0.0/8 -j ACCEPT

# Permit direct https/6443 access to k8s proxy from local subnet
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 6443 -s your-src-ip-subnet/24 -j ACCEPT

# Permit direct https/443 access to ingress from local subnet
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 443 -s your-src-ip-subnet/24 -j ACCEPT

# Reject everything else
-A FILTERS -j REJECT --reject-with icmp-host-prohibited

Now you can create a local admin.conf file to access the remote 6443 proxy, e.g.:

apiVersion: v1
clusters:
- cluster:
    server: https://your-microk8s-host:6443
    insecure-skip-tls-verify: true
  name: microk8s-cluster
contexts:
- context:
    cluster: microk8s-cluster
    namespace: default
    user: admin
  name: microk8s
current-context: microk8s
kind: Config
preferences: {}
users:
- name: admin
  user:
    username: admin
    password: get this from ${SNAP}/microk8s/current/basic_auth.csv (the 1st field)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment