Skip to content

How to Securely Manage Kubernetes using kubectl

Kubernetes (K8s) empowers you to scale and manage containerized applications seamlessly. However, robust security measures are essential to safeguard access to your cluster.

While kubectl is a powerful tool for managing Kubernetes clusters, and security is paramount. Here are two main security considerations for the Kubernetes API endpoint:

  • Never Expose Directly: The most critical step is to avoid exposing the Kubernetes API endpoint directly to the public internet. This eliminates a major attack surface.

  • TLS Encryption: Ensure all communication with the API server is encrypted using TLS. This protects data in transit from eavesdropping or tampering.

n2x.io can help you achieve these goals by creating a virtual network topology for private access and end-to-end encryption between nodes.

Diagram

The diagram shows the following information:

  • Admin Laptop (Linux) where we will install n2x-node agent.
  • A n2x.io virtual network topology, used for secure communication, where we will connect the kubernetes service using a n2x.io Kubernetes Gateway named xgw-subnet-10-254-0 and admin-laptop device.

Before you begin

To complete this tutorial, you must meet the following requirements:

  • Access a Kubernetes cluster, version v1.27.x or greater.
  • A n2x.io account created and one subnet with 10.254.1.0/24 prefix.
  • Installed n2xctl command-line tool, version v0.0.3or greater.
  • Installed kubectl command-line tool, version v1.27.x or greater.

Note

Please note that this tutorial uses a Linux OS with an Ubuntu 22.04 (Jammy Jellyfish) with amd64 architecture.

Connecting Kubernetes cluster API

To connect the kubernetes service of Kubernetes cluster API to the n2x.io subnet, you can execute the following command:

n2xctl k8s svc connect

The command will typically prompt you to select the Tenant, Network, and Subnet from your available n2x.io topology options.

Before connecting any Kubernetes service using n2x.io, a n2x.io Kubernetes Gateway must be deployed in the cluster. The first time we try to connect a service on a Kubernetes cluster, n2x.io will check for the existence of such a gateway, and if it doesn't exist it will offer us the option to create it. We have to type Y to the question Want to create one?

Then, you can choose the service you want to connect by selecting it with the space key and pressing enter. In this case, we will select default: kubernetes.

Connect K8s Service

Finding IP address assigned to the Kubernetes Service:

  1. Access the n2x.io WebUI and log in.

  2. In the left menu, click on the Network Topology section and choose the subnet associated with your Kubernetes Service (e.g., subnet-10-254-0).

  3. Click on the IPAM section. Here, you'll see both IPv4 and IPv6 addresses assigned to the kubernetes.default.n2x.local endpoint. Identify the IP address you need for your specific use case.

    k8s-svc-ip-addr

    Info

    Remember the IP address assigned to kubernetes.default.n2x.local endpoint. You will need it to update your kubeconfig file later to connect to the Kubernetes API endpoint through the n2x.io network.

Connecting admin-laptop

Once the Kubernetes service is added to the n2x.io subnet, you can establish end-to-end connections from any other n2x-node connected to the same subnet.

Tip

To control which n2x-nodes can communicate with each other, you can configure security policies in your subnet.

Now, to enable communication with the Kubernetes cluster API, you can add a new connected n2x-node to the same subnet. You can install the n2x-node agent on your desired device (like our admin-laptop in this example) using the provided one-line command.

setup-node

You can check if the service is running with the command:

systemctl status n2x-node

You can use ip addr show dev n2x0 command on admin-laptop to display the IP address assigned to this node:

node-ip

Updating kubeconfig

On the admin-laptop where we are using kubectl command, we need to modify your kubeconfig to connect to the API endpoint address assigned in the previous step. We can use the following command to update the config:

kubectl config set-cluster <cluster_name> --server=https://<k8s_svc_n2x_ip_addr>

Note

Replace <cluster_name> with the name of your cluster and <k8s_svc_n2x_ip_addr> with the IP address assigned to the kubernetes.default.n2x.local endpoint in the previous step.

Example:

kubectl config set-cluster private --server=https://10.254.0.161

Warning

To avoid TLS certificate connections errors when use kubectl command, it's important add the <k8s_svc_n2x_ip_addr> to the Subject Alternative Names (SANs) in Kubernetes API the certificate.

Bypassing this security check with the --insecure-skip-tls-verify option is possible, but it is strongly discouraged due to security risks. So we recommend you regenerate the API server certificate to include the <k8s_svc_n2x_ip_addr> as a SAN.

Run kubeadm init phase certs apiserver --apiserver-cert-extra-sans=<k8s_svc_n2x_ip_addr> (replace <k8s_svc_n2x_ip_addr> with your actual IP). This regenerates the certificate with the updated configuration.

At this point, as long as you are connected to the n2x.io virtual network topology and authorized to access the Kubernetes cluster's API endpoint resource, you can use kubectl to manage your Kubernetes cluster securely without setting up a separate Kubernetes proxy.

Additional Security Considerations

  • Regular Security Audits: Conduct periodic security audits of your cluster configuration and access controls to identify and address potential vulnerabilities.

  • Least Privilege: Grant users and service accounts only the minimum permissions required for their tasks.

  • API Server Logging and Monitoring: Enable audit logging for the API server to record API calls and user activity for security analysis. Monitor API server activity for suspicious behavior.

  • Regular API Server Credential Rotation: Regularly rotate API server credentials, including tokens and certificates, to minimize the risk of exposure.

Conclusion

By directly exposing the Kubernetes API endpoint, you introduce significant security risks. This guide outlined the importance of securing the API endpoint with practices like avoiding direct exposure and using TLS encryption.

n2x.io offers a secure solution for managing your Kubernetes cluster using kubectl. It establishes a virtual network topology, isolating communication within your trusted mesh. Additionally, n2x.io provides end-to-end encryption between nodes for enhanced data protection.

By adopting n2x.io, you can leverage the power of kubectl for managing your Kubernetes cluster while maintaining robust security for your environment.