Need a flag to disable the generation of the k3s.yaml file #5758
Comments
|
This ask seems like the result of a flawed risk analysis. Having admin credentials written to disk in /etc/rancher/k3s/k3s.yaml does not change your risk profile. All k3s server nodes have a copy of the cluster root CA certificates and keys written to disk under /var/lib/rancher/k3s/server/tls; anyone with access to those files could generate certificates with the exact same (or more) privilege as provided by the current admin kubeconfig. |
|
This repository uses a bot to automatically label issues which have not had any activity (commit/comment/label) for 180 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the bot can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the bot will automatically close the issue in 14 days. Thank you for your contributions. |
Environmental Info:
K3s Version: v1.23.6+k3s1
Node(s) CPU architecture, OS, and Version: 5.11.0-37-generic #41~20.04.2-Ubuntu
Cluster Configuration: Single Node
We're in the process of hardening deployments for some edge clusters we are deploying to customer sites and we need a way to either disable the generation of the k3s.yaml file or change the write path to a tmpfs path. We've determined it would be okay if it's a flag since the user would need to authenticate to the host to change it, but written to disk in plaintext is something we need to avoid.
The text was updated successfully, but these errors were encountered: