typhoon/bare-metal/fedora-coreos/kubernetes
Dalton Hubble fd044ee117 Enable Kubelet TLS bootstrap and NodeRestriction
* Enable bootstrap token authentication on kube-apiserver
* Generate the bootstrap.kubernetes.io/token Secret that
may be used as a bootstrap token
* Generate a bootstrap kubeconfig (with a bootstrap token)
to be securely distributed to nodes. Each Kubelet will use
the bootstrap kubeconfig to authenticate to kube-apiserver
as `system:bootstrappers` and send a node-unique CSR for
kube-controller-manager to automatically approve to issue
a Kubelet certificate and kubeconfig (expires in 72 hours)
* Add ClusterRoleBinding for bootstrap token subjects
(`system:bootstrappers`) to have the `system:node-bootstrapper`
ClusterRole
* Add ClusterRoleBinding for bootstrap token subjects
(`system:bootstrappers`) to have the csr nodeclient ClusterRole
* Add ClusterRoleBinding for bootstrap token subjects
(`system:bootstrappers`) to have the csr selfnodeclient ClusterRole
* Enable NodeRestriction admission controller to limit the
scope of Node or Pod objects a Kubelet can modify to those of
the node itself
* Ability for a Kubelet to delete its Node object is retained
as preemptible nodes or those in auto-scaling instance groups
need to be able to remove themselves on shutdown. This need
continues to have precedence over any risk of a node deleting
itself maliciously

Security notes:

1. Issued Kubelet certificates authenticate as user `system:node:NAME`
and group `system:nodes` and are limited in their authorization
to perform API operations by Node authorization and NodeRestriction
admission. Previously, a Kubelet's authorization was broader. This
is the primary security motivation.

2. The bootstrap kubeconfig credential has the same sensitivity
as the previous generated TLS client-certificate kubeconfig.
It must be distributed securely to nodes. Its compromise still
allows an attacker to obtain a Kubelet kubeconfig

3. Bootstrapping Kubelet kubeconfig's with a limited lifetime offers
a slight security improvement.
  * An attacker who obtains the kubeconfig can likely obtain the
  bootstrap kubeconfig as well, to obtain the ability to renew
  their access
  * A compromised bootstrap kubeconfig could plausibly be handled
  by replacing the bootstrap token Secret, distributing the token
  to new nodes, and expiration. Whereas a compromised TLS-client
  certificate kubeconfig can't be revoked (no CRL). However,
  replacing a bootstrap token can be impractical in real cluster
  environments, so the limited lifetime is mostly a theoretical
  benefit.
  * Cluster CSR objects are visible via kubectl which is nice

4. Bootstrapping node-unique Kubelet kubeconfigs means Kubelet
clients have more identity information, which can improve the
utility of audits and future features

Rel: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/
Rel: https://github.com/poseidon/terraform-render-bootstrap/pull/185
2020-04-28 19:35:33 -07:00
..
fcc Enable Kubelet TLS bootstrap and NodeRestriction 2020-04-28 19:35:33 -07:00
LICENSE Add docs for Fedora CoreOS AWS and bare-metal 2019-07-18 00:55:22 -07:00
README.md Update Kubernetes from v1.18.1 to v1.18.2 2020-04-16 23:40:52 -07:00
bootstrap.tf Enable Kubelet TLS bootstrap and NodeRestriction 2020-04-28 19:35:33 -07:00
groups.tf Introduce list of detail objects for bare-metal machines 2019-10-06 20:22:45 -07:00
outputs.tf Rename bootkube modules to bootstrap 2019-09-14 16:24:32 -07:00
profiles.tf Fix terraform fmt 2020-03-31 21:42:51 -07:00
ssh.tf Rename CLC files and favor Terraform list index syntax 2019-12-28 12:14:01 -08:00
variables.tf Fix terraform fmt 2020-03-31 21:42:51 -07:00
versions.tf Adopt Terraform v0.12 templatefile function 2019-11-13 16:33:36 -08:00

README.md

Typhoon

Typhoon is a minimal and free Kubernetes distribution.

  • Minimal, stable base Kubernetes distribution
  • Declarative infrastructure and configuration
  • Free (freedom and cost) and privacy-respecting
  • Practical for labs, datacenters, and clouds

Typhoon distributes upstream Kubernetes, architectural conventions, and cluster addons, much like a GNU/Linux distribution provides the Linux kernel and userspace components.

Features

  • Kubernetes v1.18.2 (upstream)
  • Single or multi-master, Calico or flannel networking
  • On-cluster etcd with TLS, RBAC-enabled, network policy
  • Advanced features like snippets customization
  • Ready for Ingress, Prometheus, Grafana, and other optional addons

Docs

Please see the official docs and the bare-metal tutorial.