Stop Leaking Kubernetes Service Information via DNS! - John Belamaric, Google & Yong Tang, Ivanti
Abstract
Most Kubernetes distributions implement role-based access control (RBAC) to keep nosy users from poking around in other people’s applications. Well, maybe for more serious reasons than that, since a fundamental principle of security is keeping information “need to know”. What cluster administrators may not realize is that even when visibility is tightly restricted by RBAC in the Kubernetes API, it is completely unrestricted in DNS! By default, the Kubernetes DNS specification exposes all services to all clients via DNS. In this talk, you will learn how to use CoreDNS to fix that…and why you may not want to!