Excluding certain routable IP addresses from kube api #9675
-
|
Hello, I have a setup in which I have multiple public IP addresses and some private IP addresses on my machine that are routable, I am wondering if it's at all possible to exclude all of those public IP addresses from being signed to the k8s certificates? I would rather not create a nftable rule to only allow my private IP addresses to the kube api. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Adding or not adding a specific address to the certificate doesn't have anything to do with access to your cluster. The certificate SANs are checked by the client, not the server. So an attacker can simply ignore SAN check. |
Beta Was this translation helpful? Give feedback.
-
|
Ah ok, so I guess doing the nftable rule is what I'll do. Do let me know if theres a better way to block out the public IP's from the internal services like talos api and kube api. |
Beta Was this translation helpful? Give feedback.
-
|
See Ingress Firewall. Certificate SANs have nothing to do with restricting access. |
Beta Was this translation helpful? Give feedback.
-
|
Understood. Thank you. |
Beta Was this translation helpful? Give feedback.
See Ingress Firewall.
Certificate SANs have nothing to do with restricting access.