TLS Listener for Kine #423
Replies: 1 comment 3 replies
-
|
I'm a bit concerned here, mostly because of the scope of this requirement. Kine is binding on the loopback network of the Tenant Control Plane container, which is not exposed externally. I understand the requirement of having encrypted traffic to avoid packet inspection, but the scope of loopback binding makes it inaccessible even if I start a packet dump on the host: I try to be pragmatic here. |
Beta Was this translation helpful? Give feedback.
-
|
Makes sense. If not encrypted channel then how about using Unix socket instead of TCP for somewhat better performance and isolation/security? |
Beta Was this translation helpful? Give feedback.
-
|
It seems |
Beta Was this translation helpful? Give feedback.
-
|
It is implemented with #593! 🙌🏻 |
Beta Was this translation helpful? Give feedback.
-
Continuation or related to proposal here: #422
Currently Kine listener even though only tied to localhost, should enable TLS listener from "security perspective"
Current implementation of datastore could be actually be renamed and
tlsConfigcould be moved fromclientCertificatetoserverCertificatewith flags changing to:With this,
--etcd-cafileargument could be set accordingly under kube-apiserver spec.Even though not an essential requirement as kine being accessed via a unix socket where filesystem permissions can be used to restrict access however would be useful if the configurations can be controlled by user.
Beta Was this translation helpful? Give feedback.
All reactions