Kimi450
commented
1 year ago Green line would be just exposing the port that minikube exposes to localhost with docker for port 8443, example 32769 in the below docker ps output
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
20c9d3659df4 gcr.io/k8s-minikube/kicbase:v0.0.37 "/usr/local/bin/entr…" About an hour ago Up 13 minutes 127.0.0.1:32772->22/tcp, 127.0.0.1:32771->2376/tcp, 127.0.0.1:32770->5000/tcp, 127.0.0.1:32769->8443/tcp, 127.0.0.1:32768->32443/tcp minikube
Currently the kube api server on minikube is exposed via kubectl proxy, this creates a tunnel between the host and the api server directly. It does not go through the authentication that would normally be present when doing this say locally using the kubeconfig minikube provides which would first authenticate you with certs and then allow you to talk to the api server.
Red line is what is done. Green line is what should be done.
So at the moment, if anyone has their api server port exposed externally, anyone can access it (because its not behind auth).
Need to change the readme to highlight that this port (3001) should not be exposed to the internet OR figure out how the green line above can be implemented.