I'm curious about how cloud providers like DigitalOcean, AWS, and Google Cloud protect their managed Kubernetes services to prevent users from accidentally messing things up. When I create a new cluster with one of these services, do I receive a kubeconfig file that gives me full admin rights? Am I able to modify or delete elements within the kube-system namespace? Can I launch privileged pods or delete Node objects?
For instance, if I were to delete a DaemonSet that the provider has installed for essential operations like monitoring, how do they handle situations like that? I imagine they might use some form of reconciliation or admission control to safeguard the infrastructure.
I'd love to hear about anyone's experiences with this!
1 Answer
In simple terms, they mostly don’t limit you. When you create a cluster, you usually get admin access, and yes, you can totally mess things up if you want. Just like with any VM, if you run commands like `rm -rf /`, it's not on the cloud provider to stop you.
Exactly! It's a frustrating situation sometimes, especially when there's a sense of over-control from the architects. We have someone trying to restrict what users can do, but I think that defeats the purpose of a cloud setup. Developers don’t get to see pod statuses unless they use something like ArgoCD, and every little DNS request has to go through him. It's like we're set up for a service model, but the reality is we're just using cloud containers!