Asking for help? Comment out what you need so we can get more information to help you!
Cluster information:
Kubernetes version: v1.17
Cloud being used: (put bare-metal if not on a public cloud)
Installation method:
Host OS:
CNI and version:
CRI and version:
I am researching on whether there is security concern with Kubernetes port forwarding and common or best practice with it. Would you someone share thoughts? Thanks.
Below are my thought. Please correct me or provide information. Thanks.
I think port forwarding is a common practice, and as long as the localhost to which the pod port is forwarding is safe -in internal network behind firewall – should be fine.
Also, it seems the tunnel/route for access is(also questions here):
localhost:localport → api server (through http or https? how to enable https here or mechanic to security security)
from api server → Kubelet? (this should be common route, so no concern here?)
Your access is still limited by whatever RBAC permissions are in play.
Explicit access to port-forwarding can be enabled with granting access to the resource pods/portforward.
This is done using tls
Tiller is generally granted privileged access, however that has been a large pain point. Helm as a project has moved away from tiller for the myriad of issues (security being a big one of them) associated with it.
Is communication from localhost to the API server always done using TLS? I have a case where I have a cluster with microservices with APIs that are exposed to the internet, each microservice in its own deployment, but one microservice has an API that’s only accessible from within the cluster. If I port-forward to a pod in that cluster-only deployment I can hit the API but I want to know if my requests to localhost:myport/some/path are encrypted or not. Is that a setting that needs to be explicitly set or does port-forward always encrypt that communication?