We getting close to going to production with our new clusters based on Microk8s.
Currently we’re hardening the clusters according to the CIS benchmark: https://github.com/aquasecurity/kube-bench
Right now we’re looking at disabling token based authentication, which is enabled by default in Microk8s.
When I remove the kube-apiserver argument:
and optionally delete the known_tokens.csv file then token based access no longer works.
So far so good.
I could also create new users that use certificates according to this documentation:
although I expect to use AD-integration via oauth2-proxy instead for normal users.
So, my questions are these:
- When disabling tokens, what about the existing users defined in known_tokens.csv?
- Do I try to update the admin user so it authenticates via certificate instead?
- If yes, how?
- If no, should the clusterrole be deleted? I guess it can’t be used anymore if so.
- Should I use the more commonly used cluster-admin for a new admin user?
- and what about the remaining entries in the file. Will proxy, controller-manager, kubelet and scheduler still work or should their authentication be updated to use certificates?
- Kubelet at least must use certificates via the setting the kubelet arguments: –tls-cert-file and –tls-private-key-file
Btw: I’ve created this issue to have the default installation be more CIS compliant by default:
Thanks in advance for any insight!