SSH Access to Kuberenetes clusters for K8S Scans via UI.
#6,394 opened on 2025年1月8日
Repository metrics
- Stars
- (8,957 stars)
- PR merge metrics
- (平均マージ 9d 17h) (30d で 314 merged PRs)
説明
New feature motivation
It is best practice to not expose Kubernetes API endpoints directly to the internet.
Solution Proposed
A common access method for remote teams is to access via a SSH bastion using Public/Private keys. The following example is from a recent CNCF hackathon run by ControlPlane, where teams were given access to the Kubernetes infra with the following SSH config:
Host bastion xx.xx.20.99
Hostname xx.xx.20.99
User player
RequestTTY force
ForwardAgent yes
IdentityFile simulator_rsa
UserKnownHostsFile simulator_known_hosts
In this example, all KubeCtl commands were run from the bastion terminal, but we could easily instead configure a port forward through the SSH tunnel allowing the prowler scanner to access the tunelled cluster through a modified kubeconfig.
Host bastion xx.xx.20.99
Hostname xx.xx.20.99
User bastion
LocalForward 30001 customers.kubernetes.cluster:6443
IdentityFile simulator_rsa
UserKnownHostsFile simulator_known_hosts
With a Kubeconfig on the prowler side as follows:
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: <redacted>
#OLD server: https://customers.kubernetes.cluster:6443
server: https://127.0.0.1:30001
Describe alternatives you've considered
- We could also offer an API endpoint with our infrastructure IP ranges, allowing users to programatically lock down their Kubernetes API endpoints to just those IP's used by the prowler SaaS infrastructure, similar to AWS's IP range JSON here: https://ip-ranges.amazonaws.com/ip-ranges.json
- We could also offer popular software-defined-vpn endpoints to allow prowler SaaS to take part as an endpoint in the customers VPN, for example, a tailscale connector which would then allow the customer to give 'Prowlers' endpoint on their VPN access to their Kubernetes API.
Additional context
No response