4

I have a cluster hosted on GKE, I have several deployments on this cluster,
I can connect with kubectl exec to the pods:

kubectl exec -it mypod-1234566-7890976 -- bash

I want to remove the option to connect with kubectl exec to a certain container

is there a way to block the option to connect to the container by blocking the ssh on the DOCKERFILE of the container? or any other way

dina
  • 4,039
  • 6
  • 39
  • 67
  • 1
    This seems to be a duplicate of https://stackoverflow.com/questions/49451780/denyescalatingexec-when-under-gke but essentially can be fixed with PodSecurityPolicies https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies – Spazzy757 Sep 09 '19 at 12:42
  • 2
    I don't think `kubectl exec` does ssh into the container. – suren Sep 09 '19 at 15:29

2 Answers2

6

To limit the ability to kubectl exec to pods what you want to do is create a custom Role & RoleBinding that removes the create verb for the pods/exec resource. An easy approach to this might be to copy the default RBAC policies, and then make the appropriate edit and rename.

Because of how RBAC works, the finest granularity you could apply to this is per-namespace, but it's not possible to filter this to a particular pod/deployment/etc.

As for other inbound external connections to a pod, this shouldn't be possible by default, unless you have created an Ingress and/or Service to specifically do this. This is because by in large most providers will be using private IP address ranges for the node IP's and also the Pod networking, hence they aren't reachable from outside without some NAT'ing or Proxying.

Hope this helps.

cewood
  • 1,011
  • 8
  • 11
0

You can block access to certain object/resource using proper rbac configuration.

This might be helpful.

FL3SH
  • 2,996
  • 1
  • 17
  • 25