Protect the Kubelet API

docs/08-bootstrapping-kubernetes-controllers.md

@@ -79,7 +79,7 @@ ExecStart=/usr/local/bin/kube-apiserver \\
   --etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 \\
   --event-ttl=1h \\
   --experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\
-  --insecure-bind-address=0.0.0.0 \\
+  --insecure-bind-address=127.0.0.1 \\
   --kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\
   --kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \\
   --kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\
@@ -118,7 +118,7 @@ ExecStart=/usr/local/bin/kube-controller-manager \\
   --cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\
   --cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\
   --leader-elect=true \\
-  --master=http://${INTERNAL_IP}:8080 \\
+  --master=http://127.0.0.1:8080 \\
   --root-ca-file=/var/lib/kubernetes/ca.pem \\
   --service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \\
   --service-cluster-ip-range=10.32.0.0/16 \\
@@ -144,7 +144,7 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 [Service]
 ExecStart=/usr/local/bin/kube-scheduler \\
   --leader-elect=true \\
-  --master=http://${INTERNAL_IP}:8080 \\
+  --master=http://127.0.0.1:8080 \\
   --v=2
 Restart=on-failure
 RestartSec=5

docs/09-bootstrapping-kubernetes-workers.md

@@ -185,6 +185,8 @@ Requires=crio.service
 
 [Service]
 ExecStart=/usr/local/bin/kubelet \\
+  --anonymous-auth=false \\
+  --authorization-mode=Webhook \\
   --allow-privileged=true \\
   --cluster-dns=10.32.0.10 \\
   --cluster-domain=cluster.local \\
@@ -199,6 +201,7 @@ ExecStart=/usr/local/bin/kubelet \\
   --register-node=true \\
   --require-kubeconfig \\
   --runtime-request-timeout=10m \\
+  --client-ca-file=/var/lib/kubernetes/ca.pem \\
   --tls-cert-file=/var/lib/kubelet/${HOSTNAME}.pem \\
   --tls-private-key-file=/var/lib/kubelet/${HOSTNAME}-key.pem \\
   --v=2
@@ -258,15 +261,65 @@ sudo systemctl start crio kubelet kube-proxy
 
 > Remember to run the above commands on each worker node: `worker-0`, `worker-1`, and `worker-2`.
 
-## Verification
+## Implement RBAC for Kubelet Authorization
 
 Login to one of the controller nodes:
 
 ```
 gcloud compute ssh controller-0
 ```
 
-List the registered Kubernetes nodes:
+Define a ```clusterrole``` with the proper permissions for kubelet API access and a ```clusterrolebinding``` to allow the ```kubernetes``` user to use that ```clusterrole```.
+```
+cat > kubelet-rbac.yaml << EOF
+---
+apiVersion: v1
+kind: List
+metadata: {}
+items:
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: ClusterRole
+  metadata:
+    annotations:
+      rbac.authorization.kubernetes.io/autoupdate: "true"
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
+    name: system:kube-apiserver-to-kubelet
+  rules:
+  - apiGroups:
+    - ""
+    resources:
+    - nodes/proxy
+    - nodes/stats
+    - nodes/log
+    - nodes/spec
+    - nodes/metrics
+    verbs:
+    - "*"
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: ClusterRoleBinding
+  metadata:
+    name: system:kube-apiserver
+    namespace: ""
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: system:kube-apiserver-to-kubelet
+  subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: kubernetes
+EOF
+```
+
+Create the ```clusterrole``` and ```clusterrolebinding``` in the cluster.
+```
+kubectl create -f kubelet-rbac.yaml
+```
+
+## Verification 
+
+While still logged into one of the controller nodes, list the registered Kubernetes nodes:
 
 ```
 kubectl get nodes