I'm hosting my frontend & backend servers with GKE (Gcloud Kubernetes Engine) with private nodes in a default VPC network like this
gcloud beta container clusters create-auto my-production-cluster \
--enable-private-nodes \
--network "projects/$PROJECT_ID/global/networks/default" \
--subnetwork "projects/$PROJECT_ID/regions/$_GKE_LOCATION/subnetworks/default" \
--cluster-ipv4-cidr "/17" \
--services-ipv4-cidr "/22"
I ssh pods using kubectl
like this:
gcloud container clusters get-credentials my-production-cluster
kubectl exec --stdin --tty my-pod-abcd-xyz -- bash
So my question is:
- Is that safe? Can hackers access our cluster & pods somehow?
- If it's not safe, what should I do to improve it?
- Does a bastion host provide any benefit in my case? AFAIK, it doesn't because the cluster exposes only ports that I specify (ingress & load balancer). I only specify port 80 for Cloudflare HTTPS mapping
CodePudding user response:
No, GKE (and most Kubernetes setups) use a private network for the cluster communication. You have to "poke holes" into cluster-space using things like LoadBalancer services. You can also use things like GCP IAP for internal service access.
CodePudding user response:
It's a best practice to deploy a private cluster. That means the control plane and the workers are private and you haven't public IP, so, no public access and hackers from the internet can't access them.
If you want to access to that internal resource, you must be in the internal network. A common way is to have a bastion with a leg in public access, and another one in the internal network.
Another solution, if you want to interact with the control plane, is to allow authorized network to whitelist some IPs allowed to access the control plane. I don't like that solution but it exists!
In term of security, yes it's safer to keep your internal resource, internal, but even in case of public exposure you must have authorized credential to access your control plane. It's an additional layer of security!
Then, for your services, you can expose them externally through Load Balancer and Ingress config in K8S. No bastion requirement for the services.