On Sun, Jul 16, 2017 at 7:08 PM 'David Oppenheimer' via Kubernetes user discussion and Q&A <[email protected]> wrote:
> > Why would using the same CA for the etcd cluster members and the > Kubernetes components allow "anyone" to attach to the etcd cluster? > Sorry, I somewhat oversimplified there. Anyone who can get their hands on one of the signed certificates could. If you never hand those out to non-cluster-admins you're safe, but if you are using certificate auth for any non-admin use cases (kubectl for developers, Prometheus) they can bypass their RBAC/ABAC restrictions. > My understanding is that if the API server a kube component is talking to > switches, the client on the kube component will detect the disconnection > and re-list (from the last record's version number that it received from > the old API server) when it connects to the new API server, so it won't > miss anything. > Ah, that's good to know, I have been overcautious then. How does it ensure that the same connection is used for LIST and WATCH? /MR -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
