Security

    SSH Access

    To change the CIDR allowed to access SSH (and HTTPS), set AdminAccess on the cluster spec.

    When using the default images, the SSH username will be , and the SSH private key will be the private key corresponding to the public key in kops get secrets --type sshpublickey admin. When creating a new cluster, the SSH public key can be specified with the --ssh-public-key option, and it defaults to ~/.ssh/id_rsa.pub.

    To change the SSH public key on an existing cluster:

    • kops create secret --name <clustername> sshpublickey admin -i ~/.ssh/newkey.pub
    • kops update cluster --yes to reconfigure the auto-scaling groups
    • kops rolling-update cluster --name <clustername> --yes to immediately roll all the machines so they have the new key (optional)
    • to immediately roll all the machines so they have the new key (optional)

    This stores the in /root/.docker/config.json on all nodes (include masters) so that both Kubernetes and system containers may use registries defined in it.

    Instance IAM roles

    All Pods running on your cluster have access to underlying instance IAM role. Currently, permission scope is quite broad. See for details and ways to mitigate that.

    (this section is a work in progress)

    Kubernetes has a number of authentication mechanisms:

    Kubelet API

    Clusters created with kops create cluster using Kubernetes 1.11 or later will have this setting in the generated cluster spec and thus have AnonymousAuth disabled.

    Note on an existing cluster with ‘anonymousAuth’ unset you would need to first roll out the masters and then update the node instance groups.

    Static bearer tokens are disabled by default as of Kubernetes 1.18. In order to enable them:

    1. # In the cluster spec
    2. spec:
    3.   kubeAPIServer:

    The API bearer token is a secret named ‘admin’.