# Secuirty Hardning of Kubernetes API Server

After cluster installed through KubeSpray, the `kube-apiserver` allows anonymous access of APIs, that is insecure when Kubernetes API Server secured ports are public.

So we need to manually sets the `--anonymous-auth=false` flags in Kubernetes API Server manifests (`/etc/kubernetes/manifests/kube-apiserver.yaml`).

We need create service account to make probes work when we disable anonymous auth.

## How to patch it ?

First we need apply [`probe-sa.yaml`](./probe-sa.yaml) to cluster to create service account and secrets for `kube-apiserver`'s probes.

```bash
kubectl apply -f probe-sa.yaml
```

Now we can get created token from secret `kube-api-server-probe-sa-token`.

```bash
kubectl get secret kube-api-server-probe-sa-token -o jsonpath='{.data.token}' -n kube-system | base64 --decode
```

You need copy token and add this snippet into `kube-apiserver.yaml` on each master node.

```yaml
readinessProbe:
...
      httpGet:
      ...
        httpHeaders:
         - name: Authorization
           value: Bearer <TOKEN>
lievenessProbe:
...
      httpGet:
      ...
        httpHeaders:
         - name: Authorization
           value: Bearer <TOKEN>
startupProbe:
...
      httpGet:
      ...
        httpHeaders:
         - name: Authorization
           value: Bearer <TOKEN>
```

After you have made the modifications and saved the file, the kubelet will automatically create a new kube-apiserver pod.

You can determine if the configuration is correct by checking the ready status (`1/1`) of the pod.