From 1f34da55b305ec9d10a45a3d397fda11f84ac0dc Mon Sep 17 00:00:00 2001 From: Jerome Petazzoni Date: Sat, 27 Feb 2021 19:13:50 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=91=20Add=20details=20about=20etcd=20s?= =?UTF-8?q?ecurity?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- slides/k8s/control-plane-auth.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/slides/k8s/control-plane-auth.md b/slides/k8s/control-plane-auth.md index aee2f651..ec95e612 100644 --- a/slides/k8s/control-plane-auth.md +++ b/slides/k8s/control-plane-auth.md @@ -92,6 +92,29 @@ --- +## etcd authorization + +- etcd supports RBAC, but Kubernetes doesn't use it by default + + (note: etcd RBAC is completely different from Kubernetes RBAC!) + +- By default, etcd access is "all or nothing" + + (if you have a valid certificate, you get in) + +- Be very careful if you use the same root CA for etcd and other things + + (if etcd trusts the root CA, then anyone with a valid cert gets full etcd access) + +- For more details, check the following resources: + + - [etcd documentation on authentication](https://etcd.io/docs/current/op-guide/authentication/) + + - [PKI The Wrong Way](https://www.youtube.com/watch?v=gcOLDEzsVHI) at KubeCon NA 2020 + +--- + + ## API server clients - The API server has a sophisticated authentication and authorization system