++security
Signed-off-by: Nico Schottelius <nico@nico-notebook.schottelius.org>
This commit is contained in:
Nico Schottelius
parent
617db5a79e
commit
56c5be3045
1 changed files with 39 additions and 0 deletions
|
|
@ -178,6 +178,45 @@ approaches:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Does this make sense?
|
||||||
|
|
||||||
|
That clearly depends on your use-case. If you want your service DNS
|
||||||
|
records to be publicly accessible, then the clear answer is yes.
|
||||||
|
|
||||||
|
If your cluster services are intended to be internal only
|
||||||
|
(see [previous blog post](/u/blog/kubernetes-without-ingress/), then
|
||||||
|
exposing the DNS service to the world might not be the best option.
|
||||||
|
|
||||||
|
## Note on security
|
||||||
|
|
||||||
|
CoreDNS inside kubernetes is by default configured to allow resolving
|
||||||
|
for *any* client that can reach it. Thus if you make your kube-dns
|
||||||
|
service world reachable, you also turn it into an open resolver.
|
||||||
|
|
||||||
|
At the time of writing this blog article, the following coredns
|
||||||
|
configuration **does NOT** correctly block requests:
|
||||||
|
|
||||||
|
```
|
||||||
|
Corefile: |
|
||||||
|
.:53 {
|
||||||
|
acl k8s.place7.ungleich.ch {
|
||||||
|
allow net ::/0
|
||||||
|
}
|
||||||
|
acl . {
|
||||||
|
allow net 2a0a:e5c0:13::/48
|
||||||
|
block
|
||||||
|
}
|
||||||
|
forward . /etc/resolv.conf {
|
||||||
|
max_concurrent 1000
|
||||||
|
}
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
Until this is solved, we recommend to place a firewall before your
|
||||||
|
public kube-dns service to only allow requests from the forwarding DNS
|
||||||
|
servers.
|
||||||
|
|
||||||
|
|
||||||
## More of this
|
## More of this
|
||||||
|
|
||||||
We are discussing
|
We are discussing
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue