ABC ntawm Kev Ruaj Ntseg hauv Kubernetes: Kev lees paub, kev tso cai, kev kuaj xyuas

Tsis ntev los sis tom qab, hauv kev ua haujlwm ntawm ib qho system, qhov teeb meem ntawm kev ruaj ntseg tshwm sim: ua kom muaj kev lees paub, kev sib cais ntawm txoj cai, kev tshuaj xyuas thiab lwm yam dej num. Twb tau tsim rau Kubernetes ntau txoj kev daws teeb meem, uas tso cai rau koj kom ua tau raws li cov qauv txawm tias nyob rau hauv ib puag ncig xav tau heev ... Cov khoom siv tib yam yog mob siab rau cov yam ntxwv ntawm kev ruaj ntseg siv nyob rau hauv lub built-in mechanisms ntawm K8s. Ua ntej tshaj plaws, nws yuav muaj txiaj ntsig zoo rau cov neeg uas tab tom pib paub txog Kubernetes - ua qhov pib rau kev kawm txog kev nyab xeeb txog teeb meem.

Kev Txhaum Cai

Muaj ob hom neeg siv hauv Kubernetes:

• Cov Kev Pabcuam - cov nyiaj tswj hwm los ntawm Kubernetes API;
• Cov neeg siv - "ib txwm" cov neeg siv tswj los ntawm cov kev pabcuam sab nraud, ywj pheej.

Qhov sib txawv tseem ceeb ntawm cov hom no yog rau Kev Pabcuam Accounts muaj cov khoom tshwj xeeb hauv Kubernetes API (lawv hu ua qhov ntawd - ServiceAccounts), uas tau khi rau lub npe chaw thiab cov ntaub ntawv tso cai khaws cia rau hauv pawg hauv cov khoom ntawm hom Secrets. Cov neeg siv zoo li no (Kev Pabcuam Nyiaj Txiag) feem ntau yog npaj los tswj cov cai nkag mus rau Kubernetes API ntawm cov txheej txheem khiav hauv Kubernetes pawg.

Cov neeg siv ib txwm tsis muaj qhov nkag hauv Kubernetes API: lawv yuav tsum tau tswj hwm los ntawm cov txheej txheem sab nraud. Lawv yog npaj rau tib neeg lossis cov txheej txheem nyob sab nraum pawg.

Txhua qhov kev thov API yog cuam tshuam nrog Kev Pabcuam Tus Neeg Siv Khoom, Tus Neeg Siv, lossis suav tias tsis qhia npe.

Cov ntaub ntawv pov thawj tus neeg siv khoom suav nrog:

• Username - username (case sensitive!);
• UID - lub tshuab nyeem tau cov neeg siv kev txheeb xyuas txoj hlua uas yog "ntau dua thiab tshwj xeeb tshaj li tus neeg siv lub npe";
• Cov pawg lwm - daim ntawv teev cov pab pawg uas tus neeg siv koom;
• ntxiv - teb ntxiv uas yuav siv tau los ntawm kev tso cai mechanism.

Kubernetes tuaj yeem siv ntau qhov kev lees paub tseeb: X509 daim ntawv pov thawj, Bearer tokens, lees paub tus neeg sawv cev, HTTP Basic Auth. Siv cov txheej txheem no, koj tuaj yeem siv ntau qhov kev tso cai: los ntawm cov ntaub ntawv zoo li qub nrog cov passwords rau OpenID OAuth2.

Ntxiv mus, nws muaj peev xwm siv ntau qhov kev tso cai ib txhij. Los ntawm lub neej ntawd, pawg siv:

• kev pabcuam tus account tokens - rau Kev Pabcuam Accounts;
• X509 - rau cov neeg siv.

Cov lus nug txog kev tswj hwm ServiceAccounts yog dhau ntawm qhov ntawm tsab xov xwm no, tab sis rau cov neeg uas xav paub txog lawv tus kheej nrog qhov teeb meem no kom ntxaws, kuv xav kom pib nrog. nplooj ntawv cov ntaub ntawv. Peb yuav saib xyuas qhov teeb meem ntawm X509 daim ntawv pov thawj ua haujlwm li cas.

Daim ntawv pov thawj rau cov neeg siv (X.509)

Txoj kev classic ntawm kev ua haujlwm nrog daim ntawv pov thawj suav nrog:

• tseem ceeb tiam:

  mkdir -p ~/mynewuser/.certs/
  openssl genrsa -out ~/.certs/mynewuser.key 2048

• tsim ib daim ntawv pov thawj thov:

  openssl req -new -key ~/.certs/mynewuser.key -out ~/.certs/mynewuser.csr -subj "/CN=mynewuser/O=company"

• ua cov ntawv pov thawj thov siv Kubernetes pawg CA cov yuam sij, tau txais daim ntawv pov thawj neeg siv (kom tau txais daim ntawv pov thawj, koj yuav tsum siv tus account uas muaj kev nkag mus rau Kubernetes pawg CA tus yuam sij, uas yog lub neej ntawd nyob hauv /etc/kubernetes/pki/ca.key):

  openssl x509 -req -in ~/.certs/mynewuser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ~/.certs/mynewuser.crt -days 500

• tsim cov ntaub ntawv configuration:
  • pawg lus piav qhia (teev qhov chaw nyob thiab qhov chaw ntawm CA daim ntawv pov thawj cov ntaub ntawv rau ib qho kev teeb tsa tshwj xeeb):

    kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.100.200:6443

  • los yog li cas tsispom zoo kev xaiv - koj tsis tas yuav qhia cov hauv paus ntawv pov thawj (ces kubectl yuav tsis xyuas qhov tseeb ntawm pawg api-server):

    kubectl config set-cluster kubernetes  --insecure-skip-tls-verify=true --server=https://192.168.100.200:6443

  • ntxiv tus neeg siv rau cov ntaub ntawv teeb tsa:

    kubectl config set-credentials mynewuser --client-certificate=.certs/mynewuser.crt  --client-key=.certs/mynewuser.key

  • ntxiv cov ntsiab lus:

    kubectl config set-context mynewuser-context --cluster=kubernetes --namespace=target-namespace --user=mynewuser

  • default context assignment:

    kubectl config use-context mynewuser-context

Tom qab cov manipulations saum toj no, nyob rau hauv cov ntaub ntawv .kube/config ib qho config zoo li no yuav raug tsim:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/pki/ca.crt
    server: https://192.168.100.200:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: target-namespace
    user: mynewuser
  name: mynewuser-context
current-context: mynewuser-context
kind: Config
preferences: {}
users:
- name: mynewuser
  user:
    client-certificate: /home/mynewuser/.certs/mynewuser.crt
    client-key: /home/mynewuser/.certs/mynewuser.key

Txhawm rau ua kom yooj yim rau kev hloov cov config ntawm cov nyiaj thiab cov servers, nws yog qhov tsim nyog los hloov cov txiaj ntsig ntawm cov yuam sij hauv qab no:

• certificate-authority
• client-certificate
• client-key

Txhawm rau ua qhov no, koj tuaj yeem nkag mus rau cov ntaub ntawv teev tseg hauv lawv siv base64 thiab sau npe rau hauv config, ntxiv cov lus rau lub npe ntawm cov yuam sij. -data, i.e. tau txais certificate-authority-data thiab cov zoo li no.

Certificate nrog kubeadm

Nrog kev tso tawm Kub Qav Kaws 1.15 ua hauj lwm nrog daim ntawv pov thawj tau ua ntau yooj yim ua tsaug rau lub alpha version ntawm nws cov kev txhawb nyob rau hauv kub utility. Piv txwv li, qhov no yog qhov tsim cov ntaub ntawv teeb tsa nrog cov neeg siv cov yuam sij tam sim no zoo li:

kubeadm alpha kubeconfig user --client-name=mynewuser --apiserver-advertise-address 192.168.100.200

NB: Yuav tsum tau tshaj tawm chaw nyob tuaj yeem pom hauv api-server config, uas yog lub neej ntawd nyob hauv /etc/kubernetes/manifests/kube-apiserver.yaml.

Cov txiaj ntsig config yuav tso tawm rau stdout. Nws yuav tsum tau khaws cia rau hauv ~/.kube/config tus account neeg siv lossis rau cov ntaub ntawv teev tseg hauv ib puag ncig hloov pauv KUBECONFIG.

Dig Deeper

Rau cov neeg uas xav nkag siab txog cov teeb meem tau piav qhia meej ntxiv:

• cais tsab xov xwm ntawm kev ua haujlwm nrog daim ntawv pov thawj hauv cov ntaub ntawv Kubernetes raug cai;
• tsab xov xwm zoo los ntawm Bitnami, nyob rau hauv uas qhov teeb meem ntawm daim ntawv pov thawj yog kov los ntawm lub tswv yim foundations.
• cov ntaub ntawv dav dav ntawm kev lees paub hauv Kubernetes.

Tso Cai

Lub neej ntawd tso cai tus account tsis muaj txoj cai los ua haujlwm ntawm pawg. Txhawm rau tso cai, Kubernetes siv lub tshuab tso cai.

Ua ntej version 1.6, Kubernetes siv hom kev tso cai hu ua ABAC (Attribute-based access control). Cov ntsiab lus hais txog nws tuaj yeem pom hauv cov ntaub ntawv raug cai. Txoj hauv kev no tam sim no suav tias yog keeb kwm yav dhau los, tab sis koj tseem tuaj yeem siv nws nrog rau lwm hom kev lees paub.

Txoj kev tam sim no (thiab hloov tau yooj yim) ntawm kev faib cov cai nkag mus rau ib pawg hu ua RBAC (Lub luag haujlwm-raws li kev tswj xyuas kev nkag). Nws tau raug tshaj tawm tias ruaj khov txij li version Kub Qav Kaws 1.8. RBAC siv tus qauv txoj cai uas txhua yam uas tsis tau tso cai tshwj xeeb raug txwv.
Txhawm rau qhib RBAC, koj yuav tsum pib Kubernetes api-server nrog rau qhov ntsuas --authorization-mode=RBAC. Cov tsis tau teev nyob rau hauv lub manifest nrog lub api-server configuration, uas yog vim li cas nyob rau hauv txoj kev. /etc/kubernetes/manifests/kube-apiserver.yaml, hauv seem command. Txawm li cas los xij, RBAC twb tau qhib los ntawm lub neej ntawd, yog li feem ntau koj yuav tsum tsis txhob txhawj txog nws: koj tuaj yeem txheeb xyuas qhov no los ntawm tus nqi authorization-mode (hauv qhov twb hais lawm kube-apiserver.yaml). Los ntawm txoj kev, ntawm nws lub ntsiab lus yuav muaj lwm yam kev tso cai (node, webhook, always allow), tab sis peb yuav tso lawv qhov kev txiav txim siab sab nraud ntawm cov khoom siv.

Los ntawm txoj kev, peb twb tau luam tawm tsab xov xwm nrog rau cov lus qhia ntxaws ntxaws ntawm cov ntsiab lus thiab cov yam ntxwv ntawm kev ua haujlwm nrog RBAC, yog li ntxiv kuv yuav txwv kuv tus kheej rau cov npe luv luv ntawm cov hauv paus thiab cov piv txwv.

Cov koom haum API hauv qab no yog siv los tswj kev nkag mus hauv Kubernetes ntawm RBAC:

• Role и ClusterRole - Lub luag haujlwm uas ua haujlwm piav qhia txog cov cai nkag:
• Role tso cai rau koj los piav txog txoj cai nyob rau hauv lub namespace;
• ClusterRole - nyob rau hauv pawg, suav nrog rau cov khoom tshwj xeeb xws li cov nodes, cov chaw tsis muaj peev txheej urls (piv txwv li tsis cuam tshuam nrog Kubernetes cov peev txheej - piv txwv li, /version, /logs, /api*);
• RoleBinding и ClusterRoleBinding - siv los khi Role и ClusterRole rau tus neeg siv, pab pawg neeg siv lossis ServiceAccount.

Lub luag hauj lwm thiab RoleBinding cov koom haum raug txwv los ntawm namespace, i.e. yuav tsum nyob hauv tib lub npe. Txawm li cas los xij, RoleBinding tuaj yeem siv ClusterRole, uas tso cai rau koj los tsim cov kev tso cai dav dav thiab tswj kev siv lawv.

Lub luag haujlwm piav qhia txog cov cai siv cov cai uas muaj:

• API pawg - saib cov ntaub ntawv raug cai los ntawm apiGroups thiab tso zis kubectl api-resources;
• cov peev txheej (Cov chaw muab kev pab: pod, namespace, deployment thiab lwm yam.);
• Verbs (lus qhia: set, update thiab lwm yam.).
• cov npe ntawm cov ntaub ntawv (resourceNames) - rau rooj plaub thaum koj xav tau muab kev nkag mus rau ib qho chaw tshwj xeeb, thiab tsis yog rau tag nrho cov peev txheej ntawm hom no.

Kev soj ntsuam ntxaws ntxiv ntawm kev tso cai hauv Kubernetes tuaj yeem pom ntawm nplooj ntawv cov ntaub ntawv raug cai. Hloov chaw (lossis theej, ntxiv rau qhov no), kuv yuav muab piv txwv uas qhia txog nws txoj haujlwm.

Piv txwv ntawm RBAC cov chaw

Yooj yim Role, uas tso cai rau koj kom tau txais ib daim ntawv teev npe thiab cov xwm txheej ntawm cov pods thiab saib xyuas lawv hauv lub npe chaw target-namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: target-namespace
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

Piv Txwv: ClusterRole, uas tso cai rau koj kom tau txais cov npe thiab cov xwm txheej ntawm cov pods thiab saib xyuas lawv thoob plaws hauv pawg:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # секции "namespace" нет, так как ClusterRole задействует весь кластер
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

Piv Txwv: RoleBinding, uas tso cai rau tus neeg siv mynewuser "nyeem" pods hauv namespace my-namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: target-namespace
subjects:
- kind: User
  name: mynewuser # имя пользователя зависимо от регистра!
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role # здесь должно быть “Role” или “ClusterRole”
  name: pod-reader # имя Role, что находится в том же namespace,
                   # или имя ClusterRole, использование которой
                   # хотим разрешить пользователю
  apiGroup: rbac.authorization.k8s.io

Kev tshuaj xyuas qhov xwm txheej

Schematically, Kubernetes architecture tuaj yeem sawv cev raws li hauv qab no:

Qhov tseem ceeb Kubernetes tivthaiv lub luag haujlwm rau kev thov kev thov yog api-server. Tag nrho cov haujlwm ntawm pawg mus dhau nws. Koj tuaj yeem nyeem ntxiv txog cov txheej txheem sab hauv no hauv kab lus "Dab tsi tshwm sim hauv Kubernetes thaum koj khiav kubectl khiav?".

Kev tshuaj xyuas qhov system yog qhov nthuav dav hauv Kubernetes, uas yog neeg xiam oob qhab los ntawm lub neej ntawd. Nws tso cai rau koj teev txhua qhov kev hu mus rau Kubernetes API. Raws li koj tuaj yeem twv, txhua qhov kev ua ntsig txog kev saib xyuas thiab hloov lub xeev ntawm pawg yog ua los ntawm API no. Cov lus piav qhia zoo ntawm nws lub peev xwm tuaj yeem (raws li ib txwm muaj) pom hauv cov ntaub ntawv raug cai K8s ua. Tom ntej no, kuv yuav sim qhia lub ntsiab lus ua lus yooj yim dua.

Thiab yog li ntawd, pab kom muaj kev tshuaj xyuas, peb yuav tsum dhau peb qhov yuav tsum tau ua rau lub thawv hauv api-server, uas tau piav qhia hauv qab no:

• --audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml
• --audit-log-path=/var/log/kube-audit/audit.log
• --audit-log-format=json

Ntxiv rau qhov peb qhov tsim nyog no, muaj ntau qhov chaw ntxiv ntsig txog kev tshuaj xyuas: los ntawm kev sib hloov ntawm lub cav mus rau cov lus piav qhia ntawm webhook. Piv txwv ntawm log rotation parameter:

• --audit-log-maxbackup=10
• --audit-log-maxsize=100
• --audit-log-maxage=7

Tab sis peb yuav tsis nyob ntawm lawv hauv kev nthuav dav ntxiv - koj tuaj yeem pom tag nrho cov ntsiab lus hauv kube-apiserver documentation.

Raws li twb tau hais lawm, txhua qhov kev ntsuas tau teeb tsa hauv qhov tshwm sim nrog api-server configuration (los ntawm lub neej ntawd /etc/kubernetes/manifests/kube-apiserver.yaml), hauv seem command. Cia peb rov qab mus rau 3 qhov yuav tsum tau ua thiab txheeb xyuas lawv:

1. audit-policy-file - txoj kev mus rau YAML cov ntaub ntawv piav qhia txog txoj cai tshawb xyuas. Peb yuav rov qab mus rau nws cov ntsiab lus tom qab, tab sis tam sim no kuv yuav nco ntsoov tias cov ntaub ntawv yuav tsum tau nyeem tau los ntawm cov txheej txheem api-server. Yog li ntawd, nws yog ib qho tsim nyog los mount nws hauv lub thawv, uas koj tuaj yeem ntxiv cov cai hauv qab no rau cov seem tsim nyog ntawm kev teeb tsa:

     volumeMounts:
       - mountPath: /etc/kubernetes/policies
         name: policies
         readOnly: true
     volumes:
     - hostPath:
         path: /etc/kubernetes/policies
         type: DirectoryOrCreate
       name: policies

2. audit-log-path - txoj kev mus rau lub log ntaub ntawv. Txoj hauv kev yuav tsum tau nkag mus rau cov txheej txheem api-server, yog li peb piav qhia txog nws qhov kev txhim kho tib yam:

     volumeMounts:
       - mountPath: /var/log/kube-audit
         name: logs
         readOnly: false
     volumes:
     - hostPath:
         path: /var/log/kube-audit
         type: DirectoryOrCreate
       name: logs

3. audit-log-format - daim ntawv txheeb xyuas hom ntawv. Lub neej ntawd yog json, tab sis cov ntaub ntawv keeb kwm yav dhau los kuj muaj (legacy).

Txoj Cai Tswj Xyuas

Tam sim no hais txog cov ntaub ntawv hais txog kev txiav txim siab txoj cai. Thawj lub tswv yim ntawm kev tshuaj xyuas txoj cai yog level, kev kaw lus qib. Lawv yog raws li nram no:

• None - tsis log;
• Metadata - log thov metadata: tus neeg siv, thov lub sijhawm, lub hom phiaj peev txheej (pod, namespace, thiab lwm yam), hom kev ua (qhia), thiab lwm yam;
• Request - teev metadata thiab thov lub cev;
• RequestResponse - teev metadata, thov lub cev thiab lub cev teb.

Ob theem kawg (Request и RequestResponse) tsis txhob sau npe thov uas tsis nkag mus rau cov peev txheej (kev nkag mus rau qhov hu ua non-resources urls).

Thiab tag nrho cov kev thov mus dhau ob peb theem:

• RequestReceived - theem thaum qhov kev thov tau txais los ntawm tus processor thiab tseem tsis tau kis mus ntxiv raws cov saw ntawm processors;
• ResponseStarted - cov lus teb headers raug xa mus, tab sis ua ntej lub cev teb raug xa mus. Tsim rau cov lus nug ntev ntev (piv txwv li, watch);
• ResponseComplete - lub cev teb tau raug xa mus, tsis muaj ntaub ntawv ntxiv yuav raug xa mus;
• Panic - Cov xwm txheej raug tsim thaum pom qhov xwm txheej txawv txav.

Hla tej kauj ruam koj siv tau omitStages.

Nyob rau hauv cov ntaub ntawv txoj cai, peb tuaj yeem piav qhia ntau ntu nrog ntau qib sib txawv. Thawj txoj cai sib xws uas pom hauv txoj cai piav qhia yuav raug siv.

Kubelet daemon saib xyuas cov kev hloov pauv hauv qhov tshwm sim nrog api-server configuration thiab, yog tias pom muaj, rov pib lub thawv nrog api-server. Tab sis muaj cov ntsiab lus tseem ceeb: kev hloov hauv cov ntaub ntawv txoj cai yuav tsis quav ntsej los ntawm nws. Tom qab hloov cov ntaub ntawv txoj cai, koj yuav tsum rov pib dua api-server manually. Txij li thaum api-server yog pib li static pod, pab kubectl delete yuav tsis ua rau nws rov pib dua. Koj yuav tau ua manually docker stop ntawm kube-masters, qhov twg txoj cai tshawb xyuas tau hloov pauv:

docker stop $(docker ps | grep k8s_kube-apiserver | awk '{print $1}')

Thaum qhib kev tshuaj xyuas, nws tseem ceeb heev kom nco ntsoov qhov ntawd lub load ntawm kube-apiserver nce. Hauv particular, nco noj rau khaws cia cov ntsiab lus thov nce. Kev sau npe pib tsuas yog tom qab xa cov lus teb header. Lub load kuj nyob ntawm qhov kev tshuaj xyuas txoj cai teeb tsa.

Piv txwv ntawm txoj cai

Cia peb saib cov qauv ntawm cov ntaub ntawv txoj cai siv cov piv txwv.

Ntawm no yog ib daim ntawv yooj yim policylos teev txhua yam ntawm qib Metadata:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata

Hauv txoj cai koj tuaj yeem teev cov npe ntawm cov neeg siv (Users и ServiceAccounts) thiab pab pawg neeg siv. Piv txwv li, qhov no yog li cas peb yuav tsis quav ntsej cov neeg siv system, tab sis teev txhua yam ntawm qib Request:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  - level: None
    userGroups:
      - "system:serviceaccounts"
      - "system:nodes"
    users:
      - "system:anonymous"
      - "system:apiserver"
      - "system:kube-controller-manager"
      - "system:kube-scheduler"
  - level: Request

Nws kuj tseem tuaj yeem piav qhia txog lub hom phiaj:

• lub npe (namespaces);
• Verbs (lus qhia: get, update, delete thiab lwm yam);
• cov peev txheej (Cov chaw muab kev pab, namely: pod, configmaps thiab lwm yam) thiab pab pawg pab pawg (apiGroups).

Them sai sai! Cov pab pawg thiab cov peev txheej (API pawg, piv txwv li apiGroups), nrog rau lawv cov qauv tsim hauv pawg, tuaj yeem tau txais los ntawm cov lus txib:

kubectl api-resources
kubectl api-versions

Txoj cai tshawb xyuas hauv qab no yog muab los ua kev qhia txog kev coj ua zoo tshaj plaws hauv Alibaba Huab cov ntaub ntawv:

apiVersion: audit.k8s.io/v1beta1
kind: Policy
# Не логировать стадию RequestReceived
omitStages:
  - "RequestReceived"
rules:
  # Не логировать события, считающиеся малозначительными и не опасными:
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
      - group: "" # это api group с пустым именем, к которому относятся
                  # базовые ресурсы Kubernetes, называемые “core”
        resources: ["endpoints", "services"]
  - level: None
    users: ["system:unsecured"]
    namespaces: ["kube-system"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["configmaps"]
  - level: None
    users: ["kubelet"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    userGroups: ["system:nodes"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    users:
      - system:kube-controller-manager
      - system:kube-scheduler
      - system:serviceaccount:kube-system:endpoint-controller
    verbs: ["get", "update"]
    namespaces: ["kube-system"]
    resources:
      - group: "" # core
        resources: ["endpoints"]
  - level: None
    users: ["system:apiserver"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["namespaces"]
  # Не логировать обращения к read-only URLs:
  - level: None
    nonResourceURLs:
      - /healthz*
      - /version
      - /swagger*
  # Не логировать сообщения, относящиеся к типу ресурсов “события”:
  - level: None
    resources:
      - group: "" # core
        resources: ["events"]
  # Ресурсы типа Secret, ConfigMap и TokenReview могут содержать  секретные данные,
  # поэтому логируем только метаданные связанных с ними запросов
  - level: Metadata
    resources:
      - group: "" # core
        resources: ["secrets", "configmaps"]
      - group: authentication.k8s.io
        resources: ["tokenreviews"]
  # Действия типа get, list и watch могут быть ресурсоёмкими; не логируем их
  - level: Request
    verbs: ["get", "list", "watch"]
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Уровень логирования по умолчанию для стандартных ресурсов API
  - level: RequestResponse
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Уровень логирования по умолчанию для всех остальных запросов
  - level: Metadata

Lwm qhov piv txwv zoo ntawm kev tshuaj xyuas txoj cai yog profile siv hauv GCE.

Txhawm rau teb sai sai rau kev tshuaj xyuas cov xwm txheej, nws ua tau piav txog webhook. Qhov teeb meem no muaj nyob rau hauv cov ntaub ntawv raug cai, Kuv yuav tso nws tawm sab nraud ntawm kab lus no.

Cov txiaj ntsim tau los

Cov kab lus muab cov ntsiab lus ntawm cov txheej txheem kev ruaj ntseg yooj yim hauv Kubernetes pawg, uas tso cai rau koj los tsim tus kheej cov neeg siv nyiaj, cais lawv txoj cai, thiab sau lawv cov kev ua. Kuv vam tias nws yuav muaj txiaj ntsig rau cov neeg uas tau ntsib nrog cov teeb meem zoo li no hauv kev xav lossis kev xyaum. Kuv kuj xav kom koj nyeem cov npe ntawm lwm cov ntaub ntawv hais txog kev ruaj ntseg hauv Kubernetes, uas tau muab rau hauv "PS" - tej zaum ntawm lawv koj yuav pom cov ntsiab lus tsim nyog ntawm cov teeb meem uas cuam tshuam rau koj.

PS

Nyeem kuj ntawm peb blog:

• «33+ Kubernetes cov cuab yeej kev ruaj ntseg»;
• «Kev Taw Qhia rau Kubernetes Network Txoj Cai rau Kev Nyab Xeeb Kev Nyab Xeeb»;
• «Nkag siab RBAC hauv Kubernetes»;
• «9 Cov Kev Cai Zoo Tshaj Plaws rau Kubernetes Kev Ruaj Ntseg»;
• «11 Txoj hauv kev (Tsis yog) Ua Tus Neeg Raug Mob ntawm Kubernetes Hack".

Tau qhov twg los: www.hab.com