Open gberche-orange opened 5 months ago
The upstream kubernetes and etcd docs do not generally apply to kine; kine implements just enough of the etcd API to be usable by Kubernetes and additional bits of functionality like RBAC are optional and therefore not implemented. Kine does not have any authn/authz whatsoever. Anyone that can connect to the etcd endpoint is allowed to access it.
Configuring TLS on the listener (via the --server-cert-file/--server-key-file options) does not add any client certificate validation, it just enables use of a server certificate on the listening port.
We can take a look at enabling client certificate auth, but given that our most common deployment scenarios see kine being accessed via a unix socket where filesystem permissions can be used to restrict access, it may not be a high priority.
Thanks Brad for your prompt answer. I'm also investigating ways to provide client cert auth outside of the kine process, as a MITM component such as haproxy and kine ensuring connections can only come from haproxy
In our case of running kine within a k8s cluster, this might result into the haproxy ingress configured with mTLS https://haproxy-ingress.github.io/docs/configuration/keys/#auth-tls
Thanks for sharing the kine component with the community. I'm looking for ways to secure a standalone kine cluster
https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters mentions
However, from available cli options, I can't find the equivalent of
--client-cert-auth=true
in kine when accepting tcp connectionshttps://github.com/k3s-io/kine/blob/e0ae6642766a955cd4603bf749e010c7c689e0c9/main.go#L28-L99
Does kine authN and authZ instead only support unix socket (i.e.when no
--listen-address
flag is passed, and insteadunix://kine.sock
is read) by 3rd party component ?