Tsis ntev los sis tom qab, hauv kev ua haujlwm ntawm ib qho system, qhov teeb meem ntawm kev ruaj ntseg tshwm sim: ua kom muaj kev lees paub, kev sib cais ntawm txoj cai, kev tshuaj xyuas thiab lwm yam dej num. Twb tau tsim rau Kubernetes
Kev Txhaum Cai
Muaj ob hom neeg siv hauv Kubernetes:
- Cov Kev Pabcuam - cov nyiaj tswj hwm los ntawm Kubernetes API;
- Cov neeg siv - "ib txwm" cov neeg siv tswj los ntawm cov kev pabcuam sab nraud, ywj pheej.
Qhov sib txawv tseem ceeb ntawm cov hom no yog rau Kev Pabcuam Accounts muaj cov khoom tshwj xeeb hauv Kubernetes API (lawv hu ua qhov ntawd - ServiceAccounts
), uas tau khi rau lub npe chaw thiab cov ntaub ntawv tso cai khaws cia rau hauv pawg hauv cov khoom ntawm hom Secrets. Cov neeg siv zoo li no (Kev Pabcuam Nyiaj Txiag) feem ntau yog npaj los tswj cov cai nkag mus rau Kubernetes API ntawm cov txheej txheem khiav hauv Kubernetes pawg.
Cov neeg siv ib txwm tsis muaj qhov nkag hauv Kubernetes API: lawv yuav tsum tau tswj hwm los ntawm cov txheej txheem sab nraud. Lawv yog npaj rau tib neeg lossis cov txheej txheem nyob sab nraum pawg.
Txhua qhov kev thov API yog cuam tshuam nrog Kev Pabcuam Tus Neeg Siv Khoom, Tus Neeg Siv, lossis suav tias tsis qhia npe.
Cov ntaub ntawv pov thawj tus neeg siv khoom suav nrog:
- Username - username (case sensitive!);
- UID - lub tshuab nyeem tau cov neeg siv kev txheeb xyuas txoj hlua uas yog "ntau dua thiab tshwj xeeb tshaj li tus neeg siv lub npe";
- Cov pawg lwm - daim ntawv teev cov pab pawg uas tus neeg siv koom;
- ntxiv - teb ntxiv uas yuav siv tau los ntawm kev tso cai mechanism.
Kubernetes tuaj yeem siv ntau qhov kev lees paub tseeb: X509 daim ntawv pov thawj, Bearer tokens, lees paub tus neeg sawv cev, HTTP Basic Auth. Siv cov txheej txheem no, koj tuaj yeem siv ntau qhov kev tso cai: los ntawm cov ntaub ntawv zoo li qub nrog cov passwords rau OpenID OAuth2.
Ntxiv mus, nws muaj peev xwm siv ntau qhov kev tso cai ib txhij. Los ntawm lub neej ntawd, pawg siv:
- kev pabcuam tus account tokens - rau Kev Pabcuam Accounts;
- X509 - rau cov neeg siv.
Cov lus nug txog kev tswj hwm ServiceAccounts yog dhau ntawm qhov ntawm tsab xov xwm no, tab sis rau cov neeg uas xav paub txog lawv tus kheej nrog qhov teeb meem no kom ntxaws, kuv xav kom pib nrog.
Daim ntawv pov thawj rau cov neeg siv (X.509)
Txoj kev classic ntawm kev ua haujlwm nrog daim ntawv pov thawj suav nrog:
- tseem ceeb tiam:
mkdir -p ~/mynewuser/.certs/ openssl genrsa -out ~/.certs/mynewuser.key 2048
- tsim ib daim ntawv pov thawj thov:
openssl req -new -key ~/.certs/mynewuser.key -out ~/.certs/mynewuser.csr -subj "/CN=mynewuser/O=company"
- ua cov ntawv pov thawj thov siv Kubernetes pawg CA cov yuam sij, tau txais daim ntawv pov thawj neeg siv (kom tau txais daim ntawv pov thawj, koj yuav tsum siv tus account uas muaj kev nkag mus rau Kubernetes pawg CA tus yuam sij, uas yog lub neej ntawd nyob hauv
/etc/kubernetes/pki/ca.key
):openssl x509 -req -in ~/.certs/mynewuser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ~/.certs/mynewuser.crt -days 500
- tsim cov ntaub ntawv configuration:
- pawg lus piav qhia (teev qhov chaw nyob thiab qhov chaw ntawm CA daim ntawv pov thawj cov ntaub ntawv rau ib qho kev teeb tsa tshwj xeeb):
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.100.200:6443
- los yog li cas tsispom zoo kev xaiv - koj tsis tas yuav qhia cov hauv paus ntawv pov thawj (ces kubectl yuav tsis xyuas qhov tseeb ntawm pawg api-server):
kubectl config set-cluster kubernetes --insecure-skip-tls-verify=true --server=https://192.168.100.200:6443
- ntxiv tus neeg siv rau cov ntaub ntawv teeb tsa:
kubectl config set-credentials mynewuser --client-certificate=.certs/mynewuser.crt --client-key=.certs/mynewuser.key
- ntxiv cov ntsiab lus:
kubectl config set-context mynewuser-context --cluster=kubernetes --namespace=target-namespace --user=mynewuser
- default context assignment:
kubectl config use-context mynewuser-context
- pawg lus piav qhia (teev qhov chaw nyob thiab qhov chaw ntawm CA daim ntawv pov thawj cov ntaub ntawv rau ib qho kev teeb tsa tshwj xeeb):
Tom qab cov manipulations saum toj no, nyob rau hauv cov ntaub ntawv .kube/config
ib qho config zoo li no yuav raug tsim:
apiVersion: v1
clusters:
- cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://192.168.100.200:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: target-namespace
user: mynewuser
name: mynewuser-context
current-context: mynewuser-context
kind: Config
preferences: {}
users:
- name: mynewuser
user:
client-certificate: /home/mynewuser/.certs/mynewuser.crt
client-key: /home/mynewuser/.certs/mynewuser.key
Txhawm rau ua kom yooj yim rau kev hloov cov config ntawm cov nyiaj thiab cov servers, nws yog qhov tsim nyog los hloov cov txiaj ntsig ntawm cov yuam sij hauv qab no:
-
certificate-authority
-
client-certificate
-
client-key
Txhawm rau ua qhov no, koj tuaj yeem nkag mus rau cov ntaub ntawv teev tseg hauv lawv siv base64 thiab sau npe rau hauv config, ntxiv cov lus rau lub npe ntawm cov yuam sij. -data
, i.e. tau txais certificate-authority-data
thiab cov zoo li no.
Certificate nrog kubeadm
Nrog kev tso tawm
kubeadm alpha kubeconfig user --client-name=mynewuser --apiserver-advertise-address 192.168.100.200
NB: Yuav tsum tau tshaj tawm chaw nyob tuaj yeem pom hauv api-server config, uas yog lub neej ntawd nyob hauv /etc/kubernetes/manifests/kube-apiserver.yaml
.
Cov txiaj ntsig config yuav tso tawm rau stdout. Nws yuav tsum tau khaws cia rau hauv ~/.kube/config
tus account neeg siv lossis rau cov ntaub ntawv teev tseg hauv ib puag ncig hloov pauv KUBECONFIG
.
Dig Deeper
Rau cov neeg uas xav nkag siab txog cov teeb meem tau piav qhia meej ntxiv:
-
cais tsab xov xwm ntawm kev ua haujlwm nrog daim ntawv pov thawj hauv cov ntaub ntawv Kubernetes raug cai; -
tsab xov xwm zoo los ntawm Bitnami , nyob rau hauv uas qhov teeb meem ntawm daim ntawv pov thawj yog kov los ntawm lub tswv yim foundations. -
cov ntaub ntawv dav dav ntawm kev lees paub hauv Kubernetes.
Tso Cai
Lub neej ntawd tso cai tus account tsis muaj txoj cai los ua haujlwm ntawm pawg. Txhawm rau tso cai, Kubernetes siv lub tshuab tso cai.
Ua ntej version 1.6, Kubernetes siv hom kev tso cai hu ua ABAC (Attribute-based access control). Cov ntsiab lus hais txog nws tuaj yeem pom hauv
Txoj kev tam sim no (thiab hloov tau yooj yim) ntawm kev faib cov cai nkag mus rau ib pawg hu ua RBAC (
Txhawm rau qhib RBAC, koj yuav tsum pib Kubernetes api-server nrog rau qhov ntsuas --authorization-mode=RBAC
. Cov tsis tau teev nyob rau hauv lub manifest nrog lub api-server configuration, uas yog vim li cas nyob rau hauv txoj kev. /etc/kubernetes/manifests/kube-apiserver.yaml
, hauv seem command
. Txawm li cas los xij, RBAC twb tau qhib los ntawm lub neej ntawd, yog li feem ntau koj yuav tsum tsis txhob txhawj txog nws: koj tuaj yeem txheeb xyuas qhov no los ntawm tus nqi authorization-mode
(hauv qhov twb hais lawm kube-apiserver.yaml
). Los ntawm txoj kev, ntawm nws lub ntsiab lus yuav muaj lwm yam kev tso cai (node
, webhook
, always allow
), tab sis peb yuav tso lawv qhov kev txiav txim siab sab nraud ntawm cov khoom siv.
Los ntawm txoj kev, peb twb tau luam tawm
Cov koom haum API hauv qab no yog siv los tswj kev nkag mus hauv Kubernetes ntawm RBAC:
-
Role
ΠΈClusterRole
- Lub luag haujlwm uas ua haujlwm piav qhia txog cov cai nkag: -
Role
tso cai rau koj los piav txog txoj cai nyob rau hauv lub namespace; -
ClusterRole
- nyob rau hauv pawg, suav nrog rau cov khoom tshwj xeeb xws li cov nodes, cov chaw tsis muaj peev txheej urls (piv txwv li tsis cuam tshuam nrog Kubernetes cov peev txheej - piv txwv li,/version
,/logs
,/api*
); -
RoleBinding
ΠΈClusterRoleBinding
- siv los khiRole
ΠΈClusterRole
rau tus neeg siv, pab pawg neeg siv lossis ServiceAccount.
Lub luag hauj lwm thiab RoleBinding cov koom haum raug txwv los ntawm namespace, i.e. yuav tsum nyob hauv tib lub npe. Txawm li cas los xij, RoleBinding tuaj yeem siv ClusterRole, uas tso cai rau koj los tsim cov kev tso cai dav dav thiab tswj kev siv lawv.
Lub luag haujlwm piav qhia txog cov cai siv cov cai uas muaj:
- API pawg - saib
cov ntaub ntawv raug cai los ntawm apiGroups thiab tso ziskubectl api-resources
; - cov peev txheej (Cov chaw muab kev pab:
pod
,namespace
,deployment
thiab lwm yam.); - Verbs (lus qhia:
set
,update
thiab lwm yam.). - cov npe ntawm cov ntaub ntawv (
resourceNames
) - rau rooj plaub thaum koj xav tau muab kev nkag mus rau ib qho chaw tshwj xeeb, thiab tsis yog rau tag nrho cov peev txheej ntawm hom no.
Kev soj ntsuam ntxaws ntxiv ntawm kev tso cai hauv Kubernetes tuaj yeem pom ntawm nplooj ntawv
Piv txwv ntawm RBAC cov chaw
Yooj yim Role
, uas tso cai rau koj kom tau txais ib daim ntawv teev npe thiab cov xwm txheej ntawm cov pods thiab saib xyuas lawv hauv lub npe chaw target-namespace
:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: target-namespace
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
Piv Txwv: ClusterRole
, uas tso cai rau koj kom tau txais cov npe thiab cov xwm txheej ntawm cov pods thiab saib xyuas lawv thoob plaws hauv pawg:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# ΡΠ΅ΠΊΡΠΈΠΈ "namespace" Π½Π΅Ρ, ΡΠ°ΠΊ ΠΊΠ°ΠΊ ClusterRole Π·Π°Π΄Π΅ΠΉΡΡΠ²ΡΠ΅Ρ Π²Π΅ΡΡ ΠΊΠ»Π°ΡΡΠ΅Ρ
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
Piv Txwv: RoleBinding
, uas tso cai rau tus neeg siv mynewuser
"nyeem" pods hauv namespace my-namespace
:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: target-namespace
subjects:
- kind: User
name: mynewuser # ΠΈΠΌΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ Π·Π°Π²ΠΈΡΠΈΠΌΠΎ ΠΎΡ ΡΠ΅Π³ΠΈΡΡΡΠ°!
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role # Π·Π΄Π΅ΡΡ Π΄ΠΎΠ»ΠΆΠ½ΠΎ Π±ΡΡΡ βRoleβ ΠΈΠ»ΠΈ βClusterRoleβ
name: pod-reader # ΠΈΠΌΡ Role, ΡΡΠΎ Π½Π°Ρ
ΠΎΠ΄ΠΈΡΡΡ Π² ΡΠΎΠΌ ΠΆΠ΅ namespace,
# ΠΈΠ»ΠΈ ΠΈΠΌΡ ClusterRole, ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ ΠΊΠΎΡΠΎΡΠΎΠΉ
# Ρ
ΠΎΡΠΈΠΌ ΡΠ°Π·ΡΠ΅ΡΠΈΡΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ
apiGroup: rbac.authorization.k8s.io
Kev tshuaj xyuas qhov xwm txheej
Schematically, Kubernetes architecture tuaj yeem sawv cev raws li hauv qab no:
Qhov tseem ceeb Kubernetes tivthaiv lub luag haujlwm rau kev thov kev thov yog api-server. Tag nrho cov haujlwm ntawm pawg mus dhau nws. Koj tuaj yeem nyeem ntxiv txog cov txheej txheem sab hauv no hauv kab lus "
Kev tshuaj xyuas qhov system yog qhov nthuav dav hauv Kubernetes, uas yog neeg xiam oob qhab los ntawm lub neej ntawd. Nws tso cai rau koj teev txhua qhov kev hu mus rau Kubernetes API. Raws li koj tuaj yeem twv, txhua qhov kev ua ntsig txog kev saib xyuas thiab hloov lub xeev ntawm pawg yog ua los ntawm API no. Cov lus piav qhia zoo ntawm nws lub peev xwm tuaj yeem (raws li ib txwm muaj) pom hauv
Thiab yog li ntawd, pab kom muaj kev tshuaj xyuas, peb yuav tsum dhau peb qhov yuav tsum tau ua rau lub thawv hauv api-server, uas tau piav qhia hauv qab no:
-
--audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml
-
--audit-log-path=/var/log/kube-audit/audit.log
-
--audit-log-format=json
Ntxiv rau qhov peb qhov tsim nyog no, muaj ntau qhov chaw ntxiv ntsig txog kev tshuaj xyuas: los ntawm kev sib hloov ntawm lub cav mus rau cov lus piav qhia ntawm webhook. Piv txwv ntawm log rotation parameter:
-
--audit-log-maxbackup=10
-
--audit-log-maxsize=100
-
--audit-log-maxage=7
Tab sis peb yuav tsis nyob ntawm lawv hauv kev nthuav dav ntxiv - koj tuaj yeem pom tag nrho cov ntsiab lus hauv
Raws li twb tau hais lawm, txhua qhov kev ntsuas tau teeb tsa hauv qhov tshwm sim nrog api-server configuration (los ntawm lub neej ntawd /etc/kubernetes/manifests/kube-apiserver.yaml
), hauv seem command
. Cia peb rov qab mus rau 3 qhov yuav tsum tau ua thiab txheeb xyuas lawv:
-
audit-policy-file
- txoj kev mus rau YAML cov ntaub ntawv piav qhia txog txoj cai tshawb xyuas. Peb yuav rov qab mus rau nws cov ntsiab lus tom qab, tab sis tam sim no kuv yuav nco ntsoov tias cov ntaub ntawv yuav tsum tau nyeem tau los ntawm cov txheej txheem api-server. Yog li ntawd, nws yog ib qho tsim nyog los mount nws hauv lub thawv, uas koj tuaj yeem ntxiv cov cai hauv qab no rau cov seem tsim nyog ntawm kev teeb tsa:volumeMounts: - mountPath: /etc/kubernetes/policies name: policies readOnly: true volumes: - hostPath: path: /etc/kubernetes/policies type: DirectoryOrCreate name: policies
-
audit-log-path
- txoj kev mus rau lub log ntaub ntawv. Txoj hauv kev yuav tsum tau nkag mus rau cov txheej txheem api-server, yog li peb piav qhia txog nws qhov kev txhim kho tib yam:volumeMounts: - mountPath: /var/log/kube-audit name: logs readOnly: false volumes: - hostPath: path: /var/log/kube-audit type: DirectoryOrCreate name: logs
-
audit-log-format
- daim ntawv txheeb xyuas hom ntawv. Lub neej ntawd yogjson
, tab sis cov ntaub ntawv keeb kwm yav dhau los kuj muaj (legacy
).
Txoj Cai Tswj Xyuas
Tam sim no hais txog cov ntaub ntawv hais txog kev txiav txim siab txoj cai. Thawj lub tswv yim ntawm kev tshuaj xyuas txoj cai yog level
, kev kaw lus qib. Lawv yog raws li nram no:
-
None
- tsis log; -
Metadata
- log thov metadata: tus neeg siv, thov lub sijhawm, lub hom phiaj peev txheej (pod, namespace, thiab lwm yam), hom kev ua (qhia), thiab lwm yam; -
Request
- teev metadata thiab thov lub cev; -
RequestResponse
- teev metadata, thov lub cev thiab lub cev teb.
Ob theem kawg (Request
ΠΈ RequestResponse
) tsis txhob sau npe thov uas tsis nkag mus rau cov peev txheej (kev nkag mus rau qhov hu ua non-resources urls).
Thiab tag nrho cov kev thov mus dhau ob peb theem:
-
RequestReceived
- theem thaum qhov kev thov tau txais los ntawm tus processor thiab tseem tsis tau kis mus ntxiv raws cov saw ntawm processors; -
ResponseStarted
- cov lus teb headers raug xa mus, tab sis ua ntej lub cev teb raug xa mus. Tsim rau cov lus nug ntev ntev (piv txwv li,watch
); -
ResponseComplete
- lub cev teb tau raug xa mus, tsis muaj ntaub ntawv ntxiv yuav raug xa mus; -
Panic
- Cov xwm txheej raug tsim thaum pom qhov xwm txheej txawv txav.
Hla tej kauj ruam koj siv tau omitStages
.
Nyob rau hauv cov ntaub ntawv txoj cai, peb tuaj yeem piav qhia ntau ntu nrog ntau qib sib txawv. Thawj txoj cai sib xws uas pom hauv txoj cai piav qhia yuav raug siv.
Kubelet daemon saib xyuas cov kev hloov pauv hauv qhov tshwm sim nrog api-server configuration thiab, yog tias pom muaj, rov pib lub thawv nrog api-server. Tab sis muaj cov ntsiab lus tseem ceeb: kev hloov hauv cov ntaub ntawv txoj cai yuav tsis quav ntsej los ntawm nws. Tom qab hloov cov ntaub ntawv txoj cai, koj yuav tsum rov pib dua api-server manually. Txij li thaum api-server yog pib li kubectl delete
yuav tsis ua rau nws rov pib dua. Koj yuav tau ua manually docker stop
ntawm kube-masters, qhov twg txoj cai tshawb xyuas tau hloov pauv:
docker stop $(docker ps | grep k8s_kube-apiserver | awk '{print $1}')
Thaum qhib kev tshuaj xyuas, nws tseem ceeb heev kom nco ntsoov qhov ntawd lub load ntawm kube-apiserver nce. Hauv particular, nco noj rau khaws cia cov ntsiab lus thov nce. Kev sau npe pib tsuas yog tom qab xa cov lus teb header. Lub load kuj nyob ntawm qhov kev tshuaj xyuas txoj cai teeb tsa.
Piv txwv ntawm txoj cai
Cia peb saib cov qauv ntawm cov ntaub ntawv txoj cai siv cov piv txwv.
Ntawm no yog ib daim ntawv yooj yim policy
los teev txhua yam ntawm qib Metadata
:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
Hauv txoj cai koj tuaj yeem teev cov npe ntawm cov neeg siv (Users
ΠΈ ServiceAccounts
) thiab pab pawg neeg siv. Piv txwv li, qhov no yog li cas peb yuav tsis quav ntsej cov neeg siv system, tab sis teev txhua yam ntawm qib Request
:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: None
userGroups:
- "system:serviceaccounts"
- "system:nodes"
users:
- "system:anonymous"
- "system:apiserver"
- "system:kube-controller-manager"
- "system:kube-scheduler"
- level: Request
Nws kuj tseem tuaj yeem piav qhia txog lub hom phiaj:
- lub npe (
namespaces
); - Verbs (lus qhia:
get
,update
,delete
thiab lwm yam); - cov peev txheej (Cov chaw muab kev pab, namely:
pod
,configmaps
thiab lwm yam) thiab pab pawg pab pawg (apiGroups
).
Them sai sai! Cov pab pawg thiab cov peev txheej (API pawg, piv txwv li apiGroups), nrog rau lawv cov qauv tsim hauv pawg, tuaj yeem tau txais los ntawm cov lus txib:
kubectl api-resources
kubectl api-versions
Txoj cai tshawb xyuas hauv qab no yog muab los ua kev qhia txog kev coj ua zoo tshaj plaws hauv
apiVersion: audit.k8s.io/v1beta1
kind: Policy
# ΠΠ΅ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°ΡΡ ΡΡΠ°Π΄ΠΈΡ RequestReceived
omitStages:
- "RequestReceived"
rules:
# ΠΠ΅ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°ΡΡ ΡΠΎΠ±ΡΡΠΈΡ, ΡΡΠΈΡΠ°ΡΡΠΈΠ΅ΡΡ ΠΌΠ°Π»ΠΎΠ·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΡΠΌΠΈ ΠΈ Π½Π΅ ΠΎΠΏΠ°ΡΠ½ΡΠΌΠΈ:
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # ΡΡΠΎ api group Ρ ΠΏΡΡΡΡΠΌ ΠΈΠΌΠ΅Π½Π΅ΠΌ, ΠΊ ΠΊΠΎΡΠΎΡΠΎΠΌΡ ΠΎΡΠ½ΠΎΡΡΡΡΡ
# Π±Π°Π·ΠΎΠ²ΡΠ΅ ΡΠ΅ΡΡΡΡΡ Kubernetes, Π½Π°Π·ΡΠ²Π°Π΅ΠΌΡΠ΅ βcoreβ
resources: ["endpoints", "services"]
- level: None
users: ["system:unsecured"]
namespaces: ["kube-system"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["configmaps"]
- level: None
users: ["kubelet"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
users:
- system:kube-controller-manager
- system:kube-scheduler
- system:serviceaccount:kube-system:endpoint-controller
verbs: ["get", "update"]
namespaces: ["kube-system"]
resources:
- group: "" # core
resources: ["endpoints"]
- level: None
users: ["system:apiserver"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["namespaces"]
# ΠΠ΅ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°ΡΡ ΠΎΠ±ΡΠ°ΡΠ΅Π½ΠΈΡ ΠΊ read-only URLs:
- level: None
nonResourceURLs:
- /healthz*
- /version
- /swagger*
# ΠΠ΅ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°ΡΡ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΡ, ΠΎΡΠ½ΠΎΡΡΡΠΈΠ΅ΡΡ ΠΊ ΡΠΈΠΏΡ ΡΠ΅ΡΡΡΡΠΎΠ² βΡΠΎΠ±ΡΡΠΈΡβ:
- level: None
resources:
- group: "" # core
resources: ["events"]
# Π Π΅ΡΡΡΡΡ ΡΠΈΠΏΠ° Secret, ConfigMap ΠΈ TokenReview ΠΌΠΎΠ³ΡΡ ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΡ ΡΠ΅ΠΊΡΠ΅ΡΠ½ΡΠ΅ Π΄Π°Π½Π½ΡΠ΅,
# ΠΏΠΎΡΡΠΎΠΌΡ Π»ΠΎΠ³ΠΈΡΡΠ΅ΠΌ ΡΠΎΠ»ΡΠΊΠΎ ΠΌΠ΅ΡΠ°Π΄Π°Π½Π½ΡΠ΅ ΡΠ²ΡΠ·Π°Π½Π½ΡΡ
Ρ Π½ΠΈΠΌΠΈ Π·Π°ΠΏΡΠΎΡΠΎΠ²
- level: Metadata
resources:
- group: "" # core
resources: ["secrets", "configmaps"]
- group: authentication.k8s.io
resources: ["tokenreviews"]
# ΠΠ΅ΠΉΡΡΠ²ΠΈΡ ΡΠΈΠΏΠ° get, list ΠΈ watch ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ ΡΠ΅ΡΡΡΡΠΎΡΠΌΠΊΠΈΠΌΠΈ; Π½Π΅ Π»ΠΎΠ³ΠΈΡΡΠ΅ΠΌ ΠΈΡ
- level: Request
verbs: ["get", "list", "watch"]
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# Π£ΡΠΎΠ²Π΅Π½Ρ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ Π΄Π»Ρ ΡΡΠ°Π½Π΄Π°ΡΡΠ½ΡΡ
ΡΠ΅ΡΡΡΡΠΎΠ² API
- level: RequestResponse
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# Π£ΡΠΎΠ²Π΅Π½Ρ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ Π΄Π»Ρ Π²ΡΠ΅Ρ
ΠΎΡΡΠ°Π»ΡΠ½ΡΡ
Π·Π°ΠΏΡΠΎΡΠΎΠ²
- level: Metadata
Lwm qhov piv txwv zoo ntawm kev tshuaj xyuas txoj cai yog
Txhawm rau teb sai sai rau kev tshuaj xyuas cov xwm txheej, nws ua tau piav txog webhook. Qhov teeb meem no muaj nyob rau hauv
Cov txiaj ntsim tau los
Cov kab lus muab cov ntsiab lus ntawm cov txheej txheem kev ruaj ntseg yooj yim hauv Kubernetes pawg, uas tso cai rau koj los tsim tus kheej cov neeg siv nyiaj, cais lawv txoj cai, thiab sau lawv cov kev ua. Kuv vam tias nws yuav muaj txiaj ntsig rau cov neeg uas tau ntsib nrog cov teeb meem zoo li no hauv kev xav lossis kev xyaum. Kuv kuj xav kom koj nyeem cov npe ntawm lwm cov ntaub ntawv hais txog kev ruaj ntseg hauv Kubernetes, uas tau muab rau hauv "PS" - tej zaum ntawm lawv koj yuav pom cov ntsiab lus tsim nyog ntawm cov teeb meem uas cuam tshuam rau koj.
PS
Nyeem kuj ntawm peb blog:
- Β«
33+ Kubernetes cov cuab yeej kev ruaj ntseg Β»; - Β«
Kev Taw Qhia rau Kubernetes Network Txoj Cai rau Kev Nyab Xeeb Kev Nyab Xeeb Β»; - Β«
Nkag siab RBAC hauv Kubernetes Β»; - Β«
9 Cov Kev Cai Zoo Tshaj Plaws rau Kubernetes Kev Ruaj Ntseg Β»; - Β«
11 Txoj hauv kev (Tsis yog) Ua Tus Neeg Raug Mob ntawm Kubernetes Hack ".
Tau qhov twg los: www.hab.com