On Mon, Jun 19, 2017 at 12:52 AM, Ingo Gottwald <in.gottw...@gmail.com> wrote:
> We would like to change some things on the default GKE setup and the docs > don't clarify whether it is safe to do so or if the next GKE update will > fail after that or revert everything. > > We're thinking about changing two things specifically: > > 1) The fluentd config map in order to parse a little more and use > structured logging in our own containers. (while still letting them use > stdout/stderr) > 2) Change the dashboard and give it a read only scope with no access to > secrets. > > The 2nd is by far the most important: > Currently with k8s 1.6 via GKE we can restrict our users nicely with RBAC, > but this does not limit the ability for users to use "kubectl proxy". > With "kubectl proxy" everybody gets access to the kubernetes-dashboard > which by GKE default has the kube-system default token mounted, that can > basically do anything. > The dashboard itself has no authn/authz. Therefore anybody can escalate > their own privileges to "root" in the cluster and leave any RBAC > restrictions behind. > This is nothing that we would be willing to launch in production. > > Our solution to this would be to use a token with limited abilities > mounted into the dashboard container, or if everything else fails, drop the > UI for now. > But in those cases we would need to modify the deployment object created > by GKE. > > Will changes like these make our cluster go up in flames on the next GKE > Master upgrade? > To ensure that your changes aren't overwritten, it'd be best to delete the GKE-managed addons (e.g. disable logging on your cluster) and install them yourself (e.g. create your own fluentd daemonset). I don't think it is currently possible to disable the dashboard. > > > -- > You received this message because you are subscribed to the Google Groups > "Kubernetes user discussion and Q&A" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to kubernetes-users+unsubscr...@googlegroups.com. > To post to this group, send email to kubernetes-users@googlegroups.com. > Visit this group at https://groups.google.com/group/kubernetes-users. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.