Security

    If you want to use a fixed key for the cluster, you have to specify on the kops create cluster command or use kops create sshpublickey. You can also set the following in the cluster spec:

    An EC2 key pair with the name<ssh key pair> has to already exist.

    To change the SSH public key on an existing cluster:

    • kops delete sshpublickey --name <clustername> sshpublickey
    • to reconfigure the launch templates.
    • kops rolling-update cluster --name <clustername> --yes to roll all the machines so they have the new key.

    If you are using a private registry such as quay.io, you may be familiar with the inconvenience of managing the imagePullSecrets for each namespace. It can also be a pain to use kOps Hooks with private images. To configure docker on all nodes with access to one or more private registries:

    • to immediately roll all the machines so they have the new key (optional)

    Note that this will also work when using containerd.

    All Pods running on your cluster have access to underlying instance IAM role. Currently, permission scope is quite broad. See for details and ways to mitigate that.