How to secure AWS EKS L-IPAMD introspection endpoint #408
Labels
Comments
|
Hi @reenrik, thanks for reporting this issue! If you want to discuss further please email me at mogren@amazon.com |
|
@reenrik Release v1.4.1 has flags to disable the introspection endpoints. |
|
Claes,
Thanks for taking a look at this. Can you tell me what repercussions there
might be in turning off the introspection endpoint? What purpose did it
serve in regards to how it is used by EKS?
…On Fri, Apr 26, 2019 at 4:33 PM Claes Mogren ***@***.***> wrote:
Hi @reenrik <https://github.com/reenrik>, thanks for reporting this
issue! If you want to discuss further please email me at ***@***.***
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#408 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHMXJP3QPT4CEKKWX6YWULPSOGLXANCNFSM4HHZ3MAA>
.
|
|
@reenrik It is used by aws-cni-support.sh when debugging issues. The If you set |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm in the process of standing up my first EKS cluster, and one of my co-workers expressed concern that he could curl
http://[internal NODE IP]:61678/v1/enisandhttp://[internal NODE IP]:61678/v1/podsand receive sensitive information about the cluster.The concern was that there is no SSL or token required to retrieve all the ENI pool information and the IPs of all the pods in the cluster.
When I embarked to understand what this api is used for and whether we could enable some form of security to lock it down, I was lead to the introspection endpoint used by L-IPAMD from amazon-vpc-cni-k8s.
Querying this API can be done from both inside any pod and from any other machine on the VPC.
What can be done to secure it? Is there an option to enforce a SSL or a token that I'm missing?
Currently running Kubernetes 1.12.6 and amazon-vpc-cni-k8s 1.3.3
The text was updated successfully, but these errors were encountered: