securing a cluster: add recommendations about cloud metadata APIs (#6659

)
kubernetes · Jan 8, 2018 · 77d0855 · 77d0855
1 parent b9b39f2
commit 77d0855
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/docs/tasks/administer-cluster/securing-a-cluster.md b/docs/tasks/administer-cluster/securing-a-cluster.md
@@ -128,6 +128,16 @@ Additional protections may be available that control network rules on a per plug
 environment basis, such as per-node firewalls, physically separating cluster nodes to 
 prevent cross talk, or advanced networking policy.
 
+### Restricting cloud metadata API access
+
+Cloud platforms (AWS, Azure, GCE, etc.) often expose metadata services locally to instances.
+By default these APIs are accessible by pods running on an instance and can contain cloud
+credentials for that node, or provisioning data such as kubelet credentials. These credentials
+can be used to escalate within the cluster or to other cloud services under the same account.
+
+When running Kubernetes on a cloud platform limit permissions given to instance credentials, use
+[network policies](/docs/tasks/administer-cluster/declare-network-policy/) to restrict pod access
+to the metadata API, and avoid using provisioning data to deliver secrets.
 
 ### Controlling which nodes pods may access