* Kubernetes plans to stop releasing the hyperkube container image * Upstream will continue to publish `kube-apiserver`, `kube-controller-manager`, `kube-scheduler`, and `kube-proxy` container images to `k8s.gcr.io` * Upstream will publish Kubelet only as a binary for distros to package, either as a DEB/RPM on traditional distros or a container image on container-optimized operating systems * Typhoon will package the upstream Kubelet (checksummed) and its dependencies as a container image for use on CoreOS Container Linux, Flatcar Linux, and Fedora CoreOS * Update the Typhoon container image security policy to list `quay.io/poseidon/kubelet`as an official distributed artifact Hyperkube: https://github.com/kubernetes/kubernetes/pull/88676 Kubelet Container Image: https://github.com/poseidon/kubelet Kubelet Quay Repo: https://quay.io/repository/poseidon/kubelet
2.7 KiB
Security
Typhoon aims to be minimal and secure. We're running it ourselves after all.
Overview
Kubernetes
- etcd with peer-to-peer and client-auth TLS
- Generated kubelet TLS certificates and
kubeconfig
(365 days) - Role-Based Access Control is enabled. Apps must define RBAC policies
- Workloads run on worker nodes only, unless they tolerate the master taint
- Kubernetes Network Policy and Calico NetworkPolicy support 1
Hosts
- Container Linux auto-updates are enabled
- Hosts limit logins to SSH key-based auth (user "core")
Platform
- Cloud firewalls limit access to ssh, kube-apiserver, and ingress
- No cluster credentials are stored in Matchbox (used for bare-metal)
- No cluster credentials are stored in Digital Ocean metadata
- Cluster credentials are stored in AWS metadata (for ASGs)
- Cluster credentials are stored in Azure metadata (for scale sets)
- Cluster credentials are stored in Google Cloud metadata (for managed instance groups)
- No account credentials are available to Digital Ocean droplets
- No account credentials are available to AWS EC2 instances (no IAM permissions)
- No account credentials are available to Azure instances (no IAM permissions)
- No account credentials are available to Google Cloud instances (no IAM permissions)
Precautions
Typhoon limits exposure to many security threats, but it is not a silver bullet. As usual,
- Do not run untrusted images or accept manifests from strangers
- Do not give untrusted users a shell behind your firewall
- Define network policies for your namespaces
Container Images
Typhoon uses upstream container images (where possible) and upstream binaries.
!!! note
Kubernetes releases kubelet
as a binary for distros to package, either as a DEB/RPM on traditional distros or as a container image for container-optimized operating systems.
Typhoon packages the upstream Kubelet and its dependencies as a container image for use in Typhoon. The upstream Kubelet binary is checksummed and packaged directly. Quay automated builds provide verifiability and confidence in image contents.
Disclosures
If you find security issues, please email dghubble at gmail. If the issue lies in upstream Kubernetes, please inform upstream Kubernetes as well.
-
Requires
networking = "calico"
. Calico is the default on all platforms (AWS, Azure, bare-metal, DigitalOcean, and Google Cloud). ↩︎