The API server is the front door to your Kubernetes cluster. Every kubectl command, every controller, every pod communicates through it. Securing the API server is paramount.
Authentication Methods
Disable Anonymous Authentication
YAML
--anonymous-auth=falseUse Strong Authentication
Prefer these methods:
- OIDC tokens (recommended for users)
- X.509 client certificates
- Service account tokens (for workloads)
OIDC Configuration
YAML
--oidc-issuer-url=https://accounts.google.com
--oidc-client-id=kubernetes
--oidc-username-claim=email
--oidc-groups-claim=groupsAuthorization
Enable RBAC
YAML
--authorization-mode=Node,RBACNever use:
- AlwaysAllow
- AlwaysDeny in production
TLS Configuration
Strong Cipher Suites
YAML
--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
--tls-min-version=VersionTLS12Admission Controllers
Enable essential admission controllers:
YAML
--enable-admission-plugins=NodeRestriction,PodSecurity,ServiceAccountKey Controllers
- NodeRestriction: Limits what nodes can modify
- PodSecurity: Enforces pod security standards
- AlwaysPullImages: Ensures credential verification
Rate Limiting
Protect against DoS:
YAML
--max-requests-inflight=400
--max-mutating-requests-inflight=200Network Security
- Place API server behind a load balancer
- Use private endpoints when possible
- Restrict source IPs with firewall rules
- Never expose to the internet without VPN
Audit Everything
Enable comprehensive audit logging as discussed in our audit logging post.
Checklist
- Anonymous auth disabled
- RBAC enabled
- TLS 1.2+ only
- Strong cipher suites
- Admission controllers configured
- Audit logging enabled
- Network access restricted
- API server logs monitored
The API server is your most critical component—secure it accordingly.