Hacker News new | comments | ask | show | jobs | submit login

Either don't expose the dashboard, or explicitly give it a service account with zero access. I think it should be well-known by now that anything you run in-cluster gets a builtin service account token, defaulting to the default service account for that namespace.





You'd be surprised a lot of things are overlooked with the premise of shipping faster.

Don't worry about security, we need to ship.


I ran my k8s dashboard behind a ClusterIP service - You could get to it through the kube-proxy, but you already had to be auth'd to the cluster, first. This was fine for a cluster small enough that any user already had admin, though we did worry a little bit that someone would compromise a pod, scan for a bit, and escalate through the dashboard.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: