L2. API Server Hardening: Flags, Audit Logging and TLS
Video generating
Check back soon for the video lesson on API Server Hardening: Flags, Audit Logging and TLS
The API server is the front door to your cluster. Learn the critical flags to lock it down, how to enable audit logging for forensic visibility, and how to enforce TLS for all communications.
Why the API Server Matters
Every kubectl command, every controller reconciliation loop, and every kubelet heartbeat goes through the API server. If an attacker gains unauthenticated access, they control the entire cluster. Hardening it is step one.
Critical API Server Flags
These flags control authentication and authorization behavior:
| Flag | Recommended Value | Why |
|---|---|---|
--anonymous-auth | false | Prevents unauthenticated requests |
--authorization-mode | Node,RBAC | Enforces role-based access control |
--enable-admission-plugins | NodeRestriction,... | Limits what kubelets can modify |
--insecure-port | 0 (disabled) | Eliminates the unencrypted HTTP port |
--profiling | false | Disables debug profiling endpoints |
--audit-log-path | /var/log/k8s-audit.log | Enables request-level audit logging |
Audit Logging
Kubernetes audit logs capture every request to the API server: who made it, what they requested, and whether it succeeded. Without audit logs, you have no forensic trail after an incident.
An audit policy defines what gets logged at four levels:
- None: Do not log
- Metadata: Log request metadata (user, verb, resource) but not request/response bodies
- Request: Log metadata plus request body
- RequestResponse: Log everything including response body
A practical audit policy logs sensitive operations at the Request level while keeping read operations at Metadata to control log volume:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">level: RequestResponse</li>
</ul>
resources:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">group: ""</li>
</ul>
resources: ["secrets", "configmaps"]
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">level: Metadata</li>
</ul>
verbs: ["get", "list", "watch"]
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">level: Request</li>
</ul>
resources:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">group: ""</li>
</ul>
resources: ["pods", "services"]TLS Everywhere
All API server communication must use TLS. This includes:
- Client to API server: kubectl and service accounts authenticate with client certificates or bearer tokens over HTTPS
- API server to etcd: Must use mutual TLS (mTLS) with dedicated certificates
- API server to kubelet: Should use certificate-based authentication
Rotate certificates before expiration. Use short-lived certificates (90 days or less) and automate rotation with tools like cert-manager or your cloud provider's certificate management.
Admission Controllers
Admission controllers intercept requests after authentication and authorization but before persistence. Key controllers to enable:
- NodeRestriction: Limits kubelets to modifying only their own node and pods
- PodSecurity: Enforces Pod Security Standards
- ResourceQuota: Prevents resource exhaustion
- LimitRanger: Sets default resource limits
- ✓Disable anonymous auth (--anonymous-auth=false) and the insecure port (--insecure-port=0) to prevent unauthenticated access
- ✓Set authorization mode to Node,RBAC for least-privilege enforcement
- ✓Audit logging captures every API request: configure policies at Metadata level for reads and Request level for sensitive operations
- ✓All API server communication must use TLS including API-to-etcd (mTLS) and API-to-kubelet channels
- ✓Admission controllers like NodeRestriction and PodSecurity intercept requests after authz but before persistence
1. Which API server flag should be set to false to prevent unauthenticated requests?
2. At which audit level does Kubernetes log request metadata plus the request body but not the response body?
3. What does the NodeRestriction admission controller prevent?