TechQA.

How do I configure NodeRestriction plug-in on kubelet?

993 views Asked by At

Let's start with some context:

I'm studying CKS and reading CIS_Kubernetes_Benchmark_v1.6.0.pdf and there's a confusing section:

1.2.17 Ensure that the admission control plugin NodeRestriction is set (Automated) 

...
Verify that the --enable-admission-plugins argument is set to a value that includes 
NodeRestriction. 
  
Remediation: 
Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. 
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-
apiserver.yaml on the master node and set the --enable-admission-plugins parameter 
to a value that includes NodeRestriction.

The part about check if /etc/kubernetes/manifests/kube-apiserver.yaml has an entry for - --enable-admission-plugins=NodeRestriction,... makes sense, the annoying part is
"Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets."
Is extremely hard to google, and the Kubernetes official docs aren't clear about how to do this.

So now that the context is there the question is:

After setting - --enable-admission-plugins=NodeRestriction on the kube-apiserver, how do you verify that the NodeRestriction plug-in on the kubelet has been correctly configured?

security kubernetes kubelet kube-apiserver hardening
Original Q&A
1

There are 1 answers

0
neoakris On

To properly enable NodeRestrictions Admission Controller Plugin, you actually need to update kubernetes configuration in 3 different places:

  1. kube-apiserver: - --enable-admission-plugins=NodeRestriction,...
  2. kube-apiserver: - --authorization-mode=Node,RBAC (You must have Node specified)
  3. kubelet (of every node): /var/lib/kubelet/config.yaml should have authorization.mode: Webhook (Other kubernetes distributions may substitute /var/lib/kubelet/config.yaml with another method of configuring it, but I'm sure there'd be a matching value)

When kubelet's authorization.mode is set to Webhook, instead of it's default of AlwaysAllow, it offloads authorization decisions to the kubernetes api-server. The Node Authorization mode is a special-purpose authorization mode that specifically authorizes API requests made by kubelet.

(The giantswarm article below is a great read, and does a good job explaining why you should implement this setting, I'll try to summarize it by saying that's generic hardening that helps prevent privilege escalation by a compromised workload or bad actor.)

Sources:
1.) Kubernetes Security Essentials (LFS260)
2.) Securing the Configuration of Kubernetes Cluster Components
3.) Using Node Authorization

Related Questions in SECURITY

Related Questions in KUBERNETES

Related Questions in KUBELET

Related Questions in KUBE-APISERVER

Related Questions in HARDENING

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions