How large is your cluster currently? > One thing that I did not realise initially is that it is absolutely vital to > be diligent about securing the etcd peer and client communication. In a > single-node setup you can get away with binding to localhost, but if you put > etcd on the network and do not require authentication anyone who can reach it > can subvert any and all Kubernetes authorization. You probably also don't > want to use the same CA as for Kubernetes here. Only the kube-apiserver needs > etcd client access. For the same reason, you should not ever use this etcd > cluster for anything else. Run a new cluster inside of Kubernetes instead.
+1! We're using an internal PKI setup for all our intra-cluster communication. -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
