We would like to change some things on the default GKE setup and the docs don't clarify whether it is safe to do so or if the next GKE update will fail after that or revert everything.
We're thinking about changing two things specifically: 1) The fluentd config map in order to parse a little more and use structured logging in our own containers. (while still letting them use stdout/stderr) 2) Change the dashboard and give it a read only scope with no access to secrets. The 2nd is by far the most important: Currently with k8s 1.6 via GKE we can restrict our users nicely with RBAC, but this does not limit the ability for users to use "kubectl proxy". With "kubectl proxy" everybody gets access to the kubernetes-dashboard which by GKE default has the kube-system default token mounted, that can basically do anything. The dashboard itself has no authn/authz. Therefore anybody can escalate their own privileges to "root" in the cluster and leave any RBAC restrictions behind. This is nothing that we would be willing to launch in production. Our solution to this would be to use a token with limited abilities mounted into the dashboard container, or if everything else fails, drop the UI for now. But in those cases we would need to modify the deployment object created by GKE. Will changes like these make our cluster go up in flames on the next GKE Master upgrade? -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
