mpnally
commented
7 years ago Should we also forbid them from accessing the Kubernetes API?
Open whitlockjc opened 7 years ago
mpnally
commented
7 years ago Should we also forbid them from accessing the Kubernetes API?
whitlockjc
commented
7 years ago Until we get authz setup, we probably should. But like the change above, we should have it on by default with a secure way to open it up.
We need to make sure that Pods running within Kubernetes cannot access the AWS Metadata endpoints. (We might want to allow this on a per-namespace basis but by default, no one should be able to access the AWS Metadata endpoints from within a Kubernetes Pod.)
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html