Stack Overflow
Stack Overflow

Questions tagged [kubernetes-security]

Questions related to Kubernetes security: from deploying cluster securely to running secure workloads on it.

116 questions
61
votes
12 answers

Where can I get a list of Kubernetes API resources and subresources?

I am trying to configure Kubernetes RBAC in the least-permissive way possible and I want to scope my roles to specific resources and subresouces. I've dug through the docs and can't find a concise list of resources and their subresources. I'm…
Chris Snell
  • 913
  • 2
  • 7
  • 11
61
votes
4 answers

Kubernetes Secrets - What is the purpose of type "Opaque" in secret definitions

In most examples about using secrets in Kubernetes, you can find similar examples: apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: User password: ********** What is the purpose of type: Opaque in the…
Denis Biondic
  • 7,943
  • 5
  • 48
  • 79
33
votes
2 answers

kubernetes PodSecurityPolicy set to runAsNonRoot, container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root

kubernetes PodSecurityPolicy set to runAsNonRoot, pods are not getting started post that Getting error Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root We are creating the user (appuser) uid…
user1819071
  • 605
  • 1
  • 9
  • 17
24
votes
3 answers

What is the point of Kubernetes secrets if I can decode them?

I can easily get the secrets stored in Kubernetes. $ kubectl get secret my-app-secrets -o yaml Select secret value from output that I want to decode. Example ZXhwb3NlZC1wYXNzd29yZAo= $ echo ZXhwb3NlZC1wYXNzd29yZAo= | base64 --decode >…
alex
  • 1,905
  • 26
  • 51
24
votes
6 answers

Kubernetes Secrets Volumes vs Environment Variables

Is there a recommended way to use Kubernetes Secrets? They can be exposed as environment variables or using a volume mount. Is one more secure than the other?
Muhammad Rehan Saeed
  • 35,627
  • 39
  • 202
  • 311
21
votes
4 answers

Securing Kubernetes Service with TLS

I have an application that is internal and exposed only to other application on the cluster by a service with cluster IP. Other services are accessing this application via it's DNS (serviceName-namespace.svc.cluster.local). This application handles…
Omer Levi Hevroni
  • 1,935
  • 1
  • 15
  • 33
20
votes
1 answer

Is there a way to put Kubernetes secret value in args field of yaml file

I have a kubernetes yaml deployment file which accepts db username and password as arguments as shown below. args: - "-db_host=postgres" - "-db_port=5432" - "-db_username=postgres" - "-db_password=postgres" To hide…
Tinkaal Gogoi
  • 4,344
  • 4
  • 27
  • 36
19
votes
2 answers

Is kubectl port-forward encrypted?

I couldn't find any information on wherever a connection creation between cluster's pod and locahost is encrypted when running "kubectl port-forward" command. It seems like it uses "socat" library which supports encryption, but I'm not sure if…
Val
  • 381
  • 1
  • 3
  • 11
11
votes
1 answer

Setup securityContext inside kubernetes deployment

I'm using a nfs mounted volume in my deployments. I need to give it the fsGroup like below: securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 Is there a way to make this on the deployment manifest? As I can see on the…
Manuel Castro
  • 1,633
  • 3
  • 24
  • 38
9
votes
1 answer

Kubernetes support for docker user namespace remapping

Docker supports user namespace remapping, so that the user namespace is completely separated from the host. The current default behavior ensures that containers get their own user and group management, i.e. their own version of /etc/passwd and…
Ijaz Ahmad
  • 11,198
  • 9
  • 53
  • 73
9
votes
1 answer

kubernetes: CA file when deploying via kops

I have created a cluster on aws using kops. However I am unable to find the file used as/by the certificate authority for spawning off client certs. Does kops create such a thing by default? If so, what is the recommended process for creating client…
pkaramol
  • 16,451
  • 43
  • 149
  • 324
8
votes
1 answer

Why are there so many certificates in a Kubernetes cluster?

One Kubernetes cluster contains several components, for example, kubelet, etcd, api-server, etc. We need to set up many certificates and keys when setting up a cluster, then they can carry these certificates to communicate with each other. >…
Ryan Lyu
  • 4,180
  • 5
  • 35
  • 51
8
votes
1 answer

If I update a secret, does it automatically gets updated to all resources in which it is volume mounted?

I have a secret, and I mounted it as a volume inside a deployment. If I update the secrets value later, will the new updated value gets automatically reflected as well inside the deployment pods which I volume mounted the secret? Note: I am…
Jplus2
  • 2,216
  • 2
  • 28
  • 49
8
votes
5 answers

chown: changing ownership of '/data/db': Operation not permitted

Can we use nfs volume plugin to maintain the High Availability and Disaster Recovery among the kubernetes cluster? I am running the pod with MongoDB. Getting the error chown: changing ownership of '/data/db': Operation not permitted . Cloud any…
BSG
  • 673
  • 2
  • 13
  • 33
8
votes
2 answers

Whitelist an IP to access deployment with Kubernetes ingress Istio

I'm trying to whitelist an IP to access a deployment inside my Kubernetes cluster. I looked for some documentation online about this, but I only found the ingress.kubernetes.io/whitelist-source-range for ingress to grant access to certain IP…
Lan
  • 709
  • 1
  • 8
  • 16
1
2 3 4 5 6 7 8