On Mon, Jun 19, 2017 at 12:52 AM, Ingo Gottwald <in.gottw...@gmail.com>
wrote:

> We would like to change some things on the default GKE setup and the docs
> don't clarify whether it is safe to do so or if the next GKE update will
> fail after that or revert everything.
>
> We're thinking about changing two things specifically:
>
> 1) The fluentd config map in order to parse a little more and use
> structured logging in our own containers. (while still letting them use
> stdout/stderr)
> 2) Change the dashboard and give it a read only scope with no access to
> secrets.
>
> The 2nd is by far the most important:
> Currently with k8s 1.6 via GKE we can restrict our users nicely with RBAC,
> but this does not limit the ability for users to use "kubectl proxy".
> With "kubectl proxy" everybody gets access to the kubernetes-dashboard
> which by GKE default has the kube-system default token mounted, that can
> basically do anything.
> The dashboard itself has no authn/authz. Therefore anybody can escalate
> their own privileges to "root" in the cluster and leave any RBAC
> restrictions behind.
> This is nothing that we would be willing to launch in production.
>
> Our solution to this would be to use a token with limited abilities
> mounted into the dashboard container, or if everything else fails, drop the
> UI for now.
> But in those cases we would need to modify the deployment object created
> by GKE.
>
> Will changes like these make our cluster go up in flames on the next GKE
> Master upgrade?
>

To ensure that your changes aren't overwritten, it'd be best to delete the
GKE-managed addons (e.g. disable logging on your cluster) and install them
yourself (e.g. create your own fluentd daemonset).

I don't think it is currently possible to disable the dashboard.


>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Kubernetes user discussion and Q&A" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kubernetes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to kubernetes-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/kubernetes-users.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.
  • [kubernetes-use... Ingo Gottwald
    • Re: [kuber... 'Robert Bailey' via Kubernetes user discussion and Q&A
      • Re: [k... 'Timo Reimann' via Kubernetes user discussion and Q&A
        • Re... 'Robert Bailey' via Kubernetes user discussion and Q&A
          • ... 'Timo Reimann' via Kubernetes user discussion and Q&A
            • ... 'Robert Bailey' via Kubernetes user discussion and Q&A

Reply via email to