Is there any Kubernetes port forwarding security concern?

limetree · February 8, 2021, 9:02pm

Asking for help? Comment out what you need so we can get more information to help you!

Cluster information:

Kubernetes version: v1.17
Cloud being used: (put bare-metal if not on a public cloud)
Installation method:
Host OS:
CNI and version:
CRI and version:

I am researching on whether there is security concern with Kubernetes port forwarding and common or best practice with it. Would you someone share thoughts? Thanks.

Below are my thought. Please correct me or provide information. Thanks.

I think port forwarding is a common practice, and as long as the localhost to which the pod port is forwarding is safe -in internal network behind firewall – should be fine.

Also, it seems the tunnel/route for access is(also questions here):

localhost:localport → api server (through http or https? how to enable https here or mechanic to security security)
from api server → Kubelet? (this should be common route, so no concern here?)

limetree · February 9, 2021, 9:52pm

To add to my questions above, if the pod is a tiller pod, whether there will be a security concern? Any thoughts are welcome.

mrbobbytables · February 10, 2021, 12:49pm

Your access is still limited by whatever RBAC permissions are in play.
Explicit access to port-forwarding can be enabled with granting access to the resource pods/portforward.

This is done using tls

Tiller is generally granted privileged access, however that has been a large pain point. Helm as a project has moved away from tiller for the myriad of issues (security being a big one of them) associated with it.

limetree · February 10, 2021, 10:22pm

Thank you very much, Mrbobbytables, for explaining this to me!