ืืืืงืื ืื ืืืืืืจ, ืืืคืขืืช ืื ืืขืจืืช, ืขืืื ืกืืืืืช ืืืืืื: ืืืืืช ืืืืืช, ืืคืจืืช ืืืืืืช, ืืืงืืจืช ืืืฉืืืืช ื ืืกืคืืช. ืืืจ ื ืืฆืจ ืขืืืจ Kubernetes
ืืืืืช
ืืฉื ื ืฉื ื ืกืืื ืืฉืชืืฉืื ื-Kubernetes:
- ืืฉืืื ืืช ืฉืืจืืช - ืืฉืืื ืืช ืืื ืืืืื ืขื ืืื Kubernetes API;
- ืืฉืชืืฉ - ืืฉืชืืฉืื "ืจืืืืื" ืืื ืืืืื ืขื ืืื ืฉืืจืืชืื ืืืฆืื ืืื ืืืืชื ืชืืืืื.
ืืืืื ืืขืืงืจื ืืื ืืกืืืื ืืืื ืืื ืฉืขืืืจ ืืฉืืื ืืช ืฉืืจืืช ืืฉื ื ืืืืืืงืืื ืืืืืืื ื-Kubernetes API (ืื ื ืงืจืืื ืื - ServiceAccounts
), ืฉืงืฉืืจืื ืืืจืื ืฉืืืช ืืืกื ืฉื ื ืชืื ื ืืจืฉืื ืืืืืืกื ืื ืืืฉืืื ืืืืืืืงืืื ืืกืื Secrets. ืืฉืชืืฉืื ืืืื (ืืฉืืื ืืช ืฉืืจืืช) ืืืืขืืื ืืขืืงืจ ืื ืื ืืืืืืช ืืืฉื ื-Kubernetes API ืฉื ืชืืืืืื ืืคืืขืืื ืืืฉืืื Kubernetes.
ืืืฉืชืืฉืื ืจืืืืื ืืื ืขืจืืื ืืืืฉืง ื-API ืฉื Kubernetes: ืื ืืืืืื ืืืืืช ืื ืืืืื ืขื ืืื ืื ืื ืื ืื ืืืฆืื ืืื. ืื ืืืืขืืื ืืื ืฉืื ืื ืืชืืืืืื ืืืืื ืืืืฅ ืืืฉืืื.
ืื ืืงืฉืช API ืืฉืืืืช ืืืฉืืื ืฉืืจืืช, ืืืฉืชืืฉ ืื ื ืืฉืืช ืืื ืื ืืืืช.
ื ืชืื ื ืืืืืช ืืืฉืชืืฉ ืืืืืื:
- ืฉื ืืฉืชืืฉ - ืฉื ืืฉืชืืฉ (ืชืืื ืจืืฉืืืช!);
- UID - ืืืจืืืช ืืืืื ืืฉืชืืฉ ืื ืืชื ืช ืืงืจืืื ืืืืื ื ืฉืืื "ืขืงืืืช ืืืืืืืืช ืืืชืจ ืืฉื ืืืฉืชืืฉ";
- ืงืืืฆืืช - ืจืฉืืืช ืืงืืืฆืืช ืืืืื ืืฉืชืืื ืืืฉืชืืฉ;
- ื ืืกืฃ - ืฉืืืช ื ืืกืคืื ืฉื ืืชื ืืืฉืชืืฉ ืืื ืขื ืืื ืื ืื ืื ืืืจืฉืื.
Kubernetes ืืืื ืืืฉืชืืฉ ืืืกืคืจ ืจื ืฉื ืื ืื ืื ื ืืืืืช: ืืืฉืืจื X509, Tokens Bearer, Proxy ืืืืืช, HTTP Basic Auth. ืืืืฆืขืืช ืื ืื ืื ืื ืืื, ืืชื ืืืื ืืืืฉื ืืกืคืจ ืจื ืฉื ืกืืืืืช ืืจืฉืื: ืืงืืืฅ ืกืืื ืขื ืกืืกืืืืช ืืขื OpenID OAuth2.
ืืชืจื ืืื, ื ืืชื ืืืฉืชืืฉ ืืืื ืกืืืืืช ืืจืฉืืืช ืื-ืืื ืืช. ืืืจืืจืช ืืืื, ืืืฉืืื ืืฉืชืืฉ ื:
- ืืกืืืื ื ืืฉืืื ืฉืืจืืช - ืขืืืจ ืืฉืืื ืืช ืฉืืจืืช;
- X509 - ืืืฉืชืืฉืื.
ืืฉืืื ืืืื ื ืืืื ServiceAccounts ืืื ืืขืืจ ืืชืืื ืืืืืจ ืืื, ืืื ืืื ืฉืจืืฆื ืืืืืจ ืืช ืื ืืฉื ืืืชืจ ืคืืจืื, ืื ื ืืืืืฅ ืืืชืืื ืขื
ืืืฉืืจืื ืืืฉืชืืฉืื (X.509)
ืืืจื ืืงืืืกืืช ืืขืืื ืขื ืชืขืืืืช ืืืืืช:
- ืืฆืืจืช ืืคืชื:
mkdir -p ~/mynewuser/.certs/ openssl genrsa -out ~/.certs/mynewuser.key 2048
- ืืคืงืช ืืงืฉืช ืืืฉืืจ:
openssl req -new -key ~/.certs/mynewuser.key -out ~/.certs/mynewuser.csr -subj "/CN=mynewuser/O=company"
- ืขืืืื ืืงืฉืช ืืืฉืืจ ืืืืฆืขืืช ืืคืชืืืช ื-CA ืฉื ืืฉืืื Kubernetes, ืืฉืืช ืืืฉืืจ ืืฉืชืืฉ (ืืื ืืงืื ืืืฉืืจ, ืขืืื ืืืฉืชืืฉ ืืืฉืืื ืฉืืฉ ืื ืืืฉื ืืืคืชื ื-CA ืฉื ืืฉืืื Kubernetes, ืืฉืจ ืืืจืืจืช ืืืื ื ืืฆื ื
/etc/kubernetes/pki/ca.key
):openssl x509 -req -in ~/.certs/mynewuser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ~/.certs/mynewuser.crt -days 500
- ืืฆืืจืช ืงืืืฅ ืชืฆืืจื:
- ืชืืืืจ ืืฉืืื (ืฆืืื ืืช ืืืชืืืช ืืืืืงืื ืฉื ืงืืืฅ ืืืฉืืจ ื-CA ืขืืืจ ืืชืงื ืช ืืฉืืื ืกืคืฆืืคืืช):
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.100.200:6443
- ืื ืืื ืืืืคืฉืจืืช ืืืืืฆืช - ืืื ื ืฆืจืื ืืฆืืื ืืช ืืืฉืืจ ืืฉืืจืฉ (ืืื kubectl ืื ืืืืืง ืืช ื ืืื ืืช ืฉืจืช ื-API ืฉื ืืืฉืืื):
kubectl config set-cluster kubernetes --insecure-skip-tls-verify=true --server=https://192.168.100.200:6443
- ืืืกืคืช ืืฉืชืืฉ ืืงืืืฅ ืืชืฆืืจื:
kubectl config set-credentials mynewuser --client-certificate=.certs/mynewuser.crt --client-key=.certs/mynewuser.key
- ืืืกืคืช ืืงืฉืจ:
kubectl config set-context mynewuser-context --cluster=kubernetes --namespace=target-namespace --user=mynewuser
- ืืงืฆืืช ืืืงืฉืจ ืืืืืืจืช ืืืจืืจืช ืืืื:
kubectl config use-context mynewuser-context
- ืชืืืืจ ืืฉืืื (ืฆืืื ืืช ืืืชืืืช ืืืืืงืื ืฉื ืงืืืฅ ืืืฉืืจ ื-CA ืขืืืจ ืืชืงื ืช ืืฉืืื ืกืคืฆืืคืืช):
ืืืืจ ืืื ืืคืืืฆืืืช ืืขืื, ืืงืืืฅ .kube/config
ืชืืืืฆืจ ืชืฆืืจื ืืื:
apiVersion: v1
clusters:
- cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://192.168.100.200:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: target-namespace
user: mynewuser
name: mynewuser-context
current-context: mynewuser-context
kind: Config
preferences: {}
users:
- name: mynewuser
user:
client-certificate: /home/mynewuser/.certs/mynewuser.crt
client-key: /home/mynewuser/.certs/mynewuser.key
ืืื ืืืงื ืขื ืืขืืจืช ืืชืฆืืจื ืืื ืืฉืืื ืืช ืืฉืจืชืื, ืืืื ืืขืจืื ืืช ืืขืจืืื ืฉื ืืืคืชืืืช ืืืืื:
-
certificate-authority
-
client-certificate
-
client-key
ืืฉื ืื, ื ืืชื ืืงืืื ืืช ืืงืืฆืื ืฉืฆืืื ื ืืื ืืืืฆืขืืช base64 ืืืจืฉืื ืืืชื ื-config, ืชืื ืืืกืคืช ืืกืืืืช ืืฉื ืืืคืชืืืช -data
, ืืืืืจ ืืืืจ ืฉืงืืื certificate-authority-data
ืืื '
ืชืขืืืืช ืขื kubeadm
ืขื ืืฉืืจืืจ
kubeadm alpha kubeconfig user --client-name=mynewuser --apiserver-advertise-address 192.168.100.200
NB: ื ืืจืฉ ืืชืืืช ืืคืจืกื ื ืืชื ืืืฆืื ืืชืฆืืจืช ื-API-server, ืืฉืจ ืืืจืืจืช ืืืื ื ืืฆืืช ื /etc/kubernetes/manifests/kube-apiserver.yaml
.
ืืชืฆืืจื ืฉืชืชืงืื ืชืืฆื ื-stdout. ืฆืจืื ืืฉืืืจ ืืช ืื ~/.kube/config
ืืฉืืื ืืฉืชืืฉ ืื ืืงืืืฅ ืฉืฆืืื ืืืฉืชื ื ืกืืืื KUBECONFIG
.
ืืืคืืจ ืขืืืง ืืืชืจ
ืืื ืฉืจืืฆื ืืืืื ืืช ืื ืืฉืืื ืืืชืืืจืื ืืฆืืจื ืืกืืืืช ืืืชืจ:
-
ืืืืจ ื ืคืจื ืขื ืขืืืื ืขื ืชืขืืืืช ืืชืืขืื ืืจืฉืื ืฉื Kubernetes; -
ืืืืจ ืืื ืืืืื ืืื , ืฉืื ื ืืืขืื ืื ืืฉื ืืชืขืืืืช ืื ืงืืืช ืืื ืืขืฉืืช. -
ืชืืขืื ืืืื ืขื ืืืืืช ื-Kubernetes.
ืืจืฉืื
ืืืฉืืื ืืืจืฉื ืืจืืจืช ืืืืื ืืื ืืืืืืช ืืคืขืื ืืืฉืืื. ืืื ืืืขื ืืง ืืจืฉืืืช, Kubernetes ืืืืฉืืช ืื ืื ืื ืืจืฉืื.
ืืคื ื ืืจืกื 1.6, Kubernetes ืืฉืชืืฉื ืืกืื ืืจืฉืื ืืฉื ABAC (ืืงืจืช ืืืฉื ืืืืกืกืช ืชืืื ืืช). ืคืจืืื ืขื ืื ื ืืชื ืืืฆืื ื
ืืืจื ืื ืืืืืช (ืืืืืฉื ืืืชืจ) ืืืืืงืช ืืืืืืช ืืืฉื ืืืฉืืื ื ืงืจืืช RBAC (
ืืื ืืืคืขืื ืืช RBAC, ืขืืื ืืืคืขืื ืืช Kubernetes api-server ืขื ืืคืจืืืจ --authorization-mode=RBAC
. ืืคืจืืืจืื ื ืงืืขืื ืืื ืืคืกื ืขื ืชืฆืืจืช ืฉืจืช ื-API, ืืฉืจ ืืืจืืจืช ืืืื ืืืืงืืช ืืืืจื ืื ืชืื /etc/kubernetes/manifests/kube-apiserver.yaml
, ืืกืขืืฃ command
. ืขื ืืืช, RBAC ืืืจ ืืืคืขื ืืืจืืจืช ืืืื, ืื ืฉืืื ืื ืจืื ืื ืฆืจืื ืืืืื ืืืื ืื: ืืชื ืืืื ืืืืช ืืืช ืืคื ืืขืจื authorization-mode
(ืืืืจ ืฉืืืจ ืืืืืจ kube-apiserver.yaml
). ืืื, ืืื ืืืฉืืขืืืืช ืฉืื ืืืชืื ื ืกืืืื ืืืจืื ืฉื ืืจืฉืื (node
, webhook
, always allow
), ืื ื ืฉืืืจ ืืช ืฉืืงืืื ืืืืฅ ืืชืืื ืืืืืจ.
ืืื, ืืืจ ืคืจืกืื ื
ืืฉืืืืช ื-API ืืืืืช ืืฉืืฉืืช ืืฉืืืื ืืืืฉื ื-Kubernetes ืืืืฆืขืืช RBAC:
-
Role
ะธClusterRole
- ืชืคืงืืืื ืืืฉืืฉืื ืืชืืืืจ ืืืืืืช ืืืฉื: -
Role
ืืืคืฉืจ ืื ืืชืืจ ืืืืืืช ืืชืื ืืจืื ืฉืืืช; -
ClusterRole
- ืืชืื ืืืฉืืื, ืืืื ืืืืืืืงืืื ืกืคืฆืืคืืื ืืืฉืืืืืช ืืืื ืฆืืชืื, ืืชืืืืช ืืชืจืื ืฉืืื ื ืืฉืืืื (ืืืืืจ, ืื ืงืฉืืจืืช ืืืฉืืื Kubernetes - ืืืืืื,/version
,/logs
,/api*
); -
RoleBinding
ะธClusterRoleBinding
- ืืฉืืฉ ืืืจืืืRole
ะธClusterRole
ืืืฉืชืืฉ, ืืงืืืฆืช ืืฉืชืืฉืื ืื ืืืฉืืื ืฉืืจืืช.
ืืืฉืืืืช Role ื-RoleBinding ืืืืืืืช ืขื ืืื ืืจืื ืืฉืืืช, ืืืืืจ. ืืืื ืืืืืช ืืชืื ืืืชื ืืจืื ืฉืืืช. ืขื ืืืช, RoleBinding ืืืื ืืืชืืืืก ื-ClusterRole, ืืืืคืฉืจ ืื ืืืฆืืจ ืงืืืฆื ืฉื ืืจืฉืืืช ืืืืืืช ืืืฉืืื ืืืืฉื ืืืืฆืขืืชื.
ืชืคืงืืืื ืืชืืจืื ืืืืืืช ืืืืฆืขืืช ืืขืจืืืช ืืืืื ืืืืืืืช:
- ืงืืืฆืืช API - ืจืื
ืชืืขืื ืจืฉืื ืืคื apiGroups ืืคืืkubectl api-resources
; - ืืฉืืืื (ืืฉืืืื:
pod
,namespace
,deployment
ืืืืื.); - ืคืขืืื (ืคืขืืื:
set
,update
ืืื.). - ืฉืืืช ืืฉืืืื (
resourceNames
) - ืืืงืจื ืฉืื ืืชื ืฆืจืื ืืกืคืง ืืืฉื ืืืฉืื ืืกืืื, ืืื ืืื ืืืฉืืืื ืืกืื ืื.
ื ืืชื ืืืฆืื ื ืืชืื ืืคืืจื ืืืชืจ ืฉื ืืจืฉืืืช ื-Kubernetes ืืขืืื
ืืืืืืืช ืืืฉืืืืช RBAC
ืคืฉืื Role
, ืืืืคืฉืจ ืืงืื ืจืฉืืื ืืกืืืืก ืฉื ืคืืืื ืืื ืืจ ืืืชื ืืืจืื ืืฉืืืช target-namespace
:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: target-namespace
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
ืืืืื ClusterRole
, ืืืืคืฉืจ ืื ืืงืื ืจืฉืืื ืืกืืืืก ืฉื ืคืืืื ืืื ืืจ ืืืชื ืืจืืื ืืืฉืืื:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# ัะตะบัะธะธ "namespace" ะฝะตั, ัะฐะบ ะบะฐะบ ClusterRole ะทะฐะดะตะนััะฒัะตั ะฒะตัั ะบะปะฐััะตั
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
ืืืืื RoleBinding
, ืืืืคืฉืจ ืืืฉืชืืฉ mynewuser
"ืืงืจืื" ืชืจืืืืื ืืืจืื ืืฉืืืช my-namespace
:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: target-namespace
subjects:
- kind: User
name: mynewuser # ะธะผั ะฟะพะปัะทะพะฒะฐัะตะปั ะทะฐะฒะธัะธะผะพ ะพั ัะตะณะธัััะฐ!
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role # ะทะดะตัั ะดะพะปะถะฝะพ ะฑััั โRoleโ ะธะปะธ โClusterRoleโ
name: pod-reader # ะธะผั Role, ััะพ ะฝะฐั
ะพะดะธััั ะฒ ัะพะผ ะถะต namespace,
# ะธะปะธ ะธะผั ClusterRole, ะธัะฟะพะปัะทะพะฒะฐะฝะธะต ะบะพัะพัะพะน
# ั
ะพัะธะผ ัะฐะทัะตัะธัั ะฟะพะปัะทะพะฒะฐัะตะปั
apiGroup: rbac.authorization.k8s.io
ืืืงืืจืช ืืืจืืขืื
ืืืืคื ืกืืืื, ื ืืชื ืืืืฆื ืืช ืืจืืืืงืืืจืช Kubernetes ืืืืคื ืืื:
ืจืืื Kubernetes ืืืคืชื ืืืืจืื ืืขืืืื ืืงืฉืืช ืืื ืฉืจืช api. ืื ืืคืขืืืืช ืืืฉืืื ืขืืืจืืช ืืจืื. ืชืืื ืืงืจืื ืขืื ืขื ืื ืื ืื ืื ืคื ืืืืื ืืื ืืืืืจ "
ืืืงืืจืช ืืขืจืืืช ืืื ืชืืื ื ืืขื ืืื ืช ื- Kubernetes, ืืืืฉืืชืช ืืืจืืจืช ืืืื. ืื ืืืคืฉืจ ืื ืืจืฉืื ืืช ืื ืืฉืืืืช ื-Kubernetes API. ืืคื ืฉืืชื ืืืื ืื ืืฉ, ืื ืืคืขืืืืช ืืงืฉืืจืืช ืื ืืืืจ ืืฉืื ืื ืืฆื ืืืฉืืื ืืืืฆืขืืช ืืืืฆืขืืช API ืื. ืชืืืืจ ืืื ืฉื ืืืืืืืช ืฉืื ื ืืชื (ืืจืืื) ืืืฆืื ื
ืืคืืื, ืืื ืืืคืฉืจ ืืืงืืจืช, ืขืืื ื ืืืขืืืจ ืฉืืืฉื ืคืจืืืจืื ื ืืจืฉืื ืืงืื ืืืื ืจ ื-API-server, ืืืชืืืจืื ืืืชืจ ืคืืจืื ืืืื:
-
--audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml
-
--audit-log-path=/var/log/kube-audit/audit.log
-
--audit-log-format=json
ืื ืืกืฃ ืืฉืืืฉืช ืืคืจืืืจืื ืืืืจืืืื ืืืื, ืืฉื ื ืืืืจืืช ืจืืืช ื ืืกืคืืช ืืงืฉืืจืืช ืืืืงืืจืช: ืืื ืืกืืืื ืืืื ืืขื ืืชืืืืจื webhook. ืืืืื ืืคืจืืืจืื ืฉื ืกืืืื ืืืื:
-
--audit-log-maxbackup=10
-
--audit-log-maxsize=100
-
--audit-log-maxage=7
ืืื ืื ื ืชืขืื ืขืืืื ืืืชืจ ืคืืจืื - ืืชื ืืืื ืืืฆืื ืืช ืื ืืคืจืืื ื
ืืคื ืฉืืืจ ืฆืืื, ืื ืืคืจืืืจืื ืืืืืจืื ืืื ืืคืกื ืขื ืชืฆืืจืช ื-API-ืฉืจืช (ืืืจืืจืช ืืืื /etc/kubernetes/manifests/kube-apiserver.yaml
), ืืกืขืืฃ command
. ื ืืืืจ ื-3 ืืคืจืืืจืื ืื ืืจืฉืื ืื ื ืชื ืืืชื:
-
audit-policy-file
- ื ืชืื ืืงืืืฅ YAML ืืืชืืจ ืืช ืืืื ืืืช ืืืืงืืจืช. ื ืืืืจ ืืชืืื ื ืืืืฉื, ืื ืืขืช ืขืชื ืืฆืืื ืฉืืงืืืฅ ืืืื ืืืืืช ืงืจืื ืขื ืืื ืชืืืื ื-API-server. ืืื, ืืฉ ืฆืืจื ืืืจืืื ืืืชื ืืชืื ืืืืื, ืขืืืจื ืืชื ืืืื ืืืืกืืฃ ืืช ืืงืื ืืื ืืงืืขืื ืืืชืืืืื ืฉื ืืชืฆืืจื:volumeMounts: - mountPath: /etc/kubernetes/policies name: policies readOnly: true volumes: - hostPath: path: /etc/kubernetes/policies type: DirectoryOrCreate name: policies
-
audit-log-path
- ื ืชืื ืืงืืืฅ ืืืืื. ืื ืชืื ืืืื ืืืืืช ื ืืืฉ ืื ืืชืืืื ืฉืจืช ื-API, ืื ืื ื ืืชืืจืื ืืช ืืืจืืื ืฉืื ืืืืชื ืืืคื:volumeMounts: - mountPath: /var/log/kube-audit name: logs readOnly: false volumes: - hostPath: path: /var/log/kube-audit type: DirectoryOrCreate name: logs
-
audit-log-format
- ืคืืจืื ืืืื ืืืงืืจืช. ืืจืืจืช ืืืืื ืืืjson
, ืืื ืคืืจืื ืืืงืกื ืืืฉื ืืืื ืื (legacy
).
ืืืื ืืืช ืืืงืืจืช
ืขืืฉืื ืืืื ืืงืืืฅ ืืืืืืจ ืืืชืืจ ืืช ืืืื ืืืช ืืจืืฉืื. ืืจืขืืื ืืจืืฉืื ืฉื ืืืื ืืืช ืืืงืืจืช ืืื level
, ืจืืช ืจืืฉืื. ืื ืืืืงืื:
-
None
- ืื ืชืืจืฉื; -
Metadata
- ืืื ื ืชืื ืื ืฉื ืืงืฉืช ืืืื: ืืฉืชืืฉ, ืืื ืืงืฉื, ืืฉืื ืืขื (ืชืจืืื, ืืจืื ืฉืืืช ืืื'), ืกืื ืคืขืืื (ืคืืขื) ืืื'; -
Request
- ืืืื ืืื ื ืชืื ืื ืืืืฃ ืืืงืฉื; -
RequestResponse
- ืืืื ืืื ื ืชืื ืื, ืืืฃ ืืืงืฉื ืืืืฃ ืืชืืืื.
ืฉืชื ืืจืืืช ืืืืจืื ืืช (Request
ะธ RequestResponse
) ืืื ืืจืฉืื ืืงืฉืืช ืฉืื ื ืืืฉื ืืืฉืืืื (ืืืฉื ืืื ืฉื ืงืจื ืืชืืืืช ืืชืจืื ืฉืืื ื ืืฉืืืื).
ืืื ืื ืื ืืืงืฉืืช ืขืืืจืืช ืืกืคืจ ืฉืืืื:
-
RequestReceived
- ืืฉืื ืฉืื ืืืงืฉื ืืชืงืืืช ืขื ืืื ืืืขืื ืืืจื ืืืขืืจื ืืืืฉื ืฉืจืฉืจืช ืืืขืืืื; -
ResponseStarted
- ืืืชืจืืช ืืชืืืื ื ืฉืืืืช, ืื ืืคื ื ืฉืืืืช ืืืฃ ืืชืืืื. ื ืืฆืจ ืขืืืจ ืฉืืืืชืืช ืืจืืืืช ืืืื (ืืืืืื,watch
); -
ResponseComplete
- ืืืฃ ืืชืืืื ื ืฉืื, ืื ืืืฉืื ืืืืข ื ืืกืฃ; -
Panic
- ืืืจืืขืื ื ืืฆืจืื ืืืฉืจ ืืืืื ืืฆื ืืจืื.
ืืื ืืืื ืขื ืื ืฉืื ืฉืืชื ืืืื ืืืฉืชืืฉ ืื omitStages
.
ืืงืืืฅ ืืืื ืืืช, ืื ื ืืืืืื ืืชืืจ ืืกืคืจ ืกืขืืคืื ืขื ืจืืืช ืจืืฉืื ืฉืื ืืช. ืืื ืืืชืืื ืืจืืฉืื ืฉื ืืฆื ืืชืืืืจ ืืืืื ืืืช ืืืื.
ืืืืื kubelet ืขืืงื ืืืจ ืฉืื ืืืื ืืื ืืคืกื ืขื ืชืฆืืจืช ืฉืจืช ื-API, ืืื ืืชืืืื ืืืื, ืืคืขืื ืืืืฉ ืืช ืืืืื ืขื ืฉืจืช ื-API. ืืื ืืฉ ืคืจื ืืฉืื: ืฉืื ืืืื ืืงืืืฅ ืืืืื ืืืช ืืชืขืืื ืขื ืืื. ืืืืจ ืืืฆืืข ืฉืื ืืืื ืืงืืืฅ ืืืืื ืืืช, ืืืื ืขืืื ืืืคืขืื ืืืืฉ ืืช ืฉืจืช ื-API ืืืืคื ืืื ื. ืืื ืฉืจืช api ืืืคืขื ืืชืืจ kubectl delete
ืื ืืืจืื ืืืคืขืื ืืืืฉ. ืชืฆืืจื ืืขืฉืืช ืืืช ืืืืคื ืืื ื docker stop
ื-kube-masters, ืฉื ืฉืื ืชื ืืืื ืืืช ืืืืงืืจืช:
docker stop $(docker ps | grep k8s_kube-apiserver | awk '{print $1}')
ืืขืช ืืคืขืืช ืืืงืืจืช, ืืฉืื ืืืืืจ ืืืช ืืขืืืก ืขื kube-apiserver ืืื. ืืคืจื, ืฆืจืืืช ืืืืืจืื ืืืืกืื ืืงืฉืจ ืืืงืฉื ืขืืื. ืจืืฉืื ืืจืืฉืื ืืชืืื ืจืง ืืืืจ ืฉืืืืช ืืืชืจืช ืืชืืืื. ืืขืืืก ืชืืื ืื ืืชืฆืืจืช ืืืื ืืืช ืืืืงืืจืช.
ืืืืืืืช ืืคืืืืกืืช
ืืืื ื ืกืชืื ืขื ืืืื ื ืฉื ืงืืฆื ืืืื ืืืช ืืืืฆืขืืช ืืืืืืืช.
ืื ื ืงืืืฅ ืคืฉืื policy
ืืจืฉืื ืืื ืืจืื Metadata
:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
ืืืืื ืืืช ืืชื ืืืื ืืฆืืื ืจืฉืืื ืฉื ืืฉืชืืฉืื (Users
ะธ ServiceAccounts
) ืืงืืืฆืืช ืืฉืชืืฉืื. ืืืืืื, ืื ื ืชืขืื ืืืฉืชืืฉื ืืขืจืืช, ืื ื ืจืฉื ืืช ืื ืืฉืืจ ืืจืื Request
:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: None
userGroups:
- "system:serviceaccounts"
- "system:nodes"
users:
- "system:anonymous"
- "system:apiserver"
- "system:kube-controller-manager"
- "system:kube-scheduler"
- level: Request
ืืคืฉืจ ืื ืืชืืจ ืืช ืืืืจืืช:
- ืืจืืื ืฉืืืช (
namespaces
); - ืคืขืืื (ืคืขืืื:
get
,update
,delete
ืืืืจืื); - ืืฉืืืื (ืืฉืืืื, ืืืคืืจื ืืืื:
pod
,configmaps
ืืื') ืืงืืืฆืืช ืืฉืืืื (apiGroups
).
ืฉืืื ืื! ื ืืชื ืืืฉืื ืืฉืืืื ืืงืืืฆืืช ืืฉืืืื (ืงืืืฆืืช API, ืืืืืจ apiGroups), ืืื ืื ืืช ืืืจืกืืืช ืฉืืื ืืืืชืงื ืืช ืืืฉืืื, ืืืืฆืขืืช ืืคืงืืืืช:
kubectl api-resources
kubectl api-versions
ืืืื ืืืช ืืืืงืืจืช ืืืื ืืกืืคืงืช ืืืืืื ืฉื ืฉืืืืช ืขืืืื ืืืืืฆืืช ื
apiVersion: audit.k8s.io/v1beta1
kind: Policy
# ะะต ะปะพะณะธัะพะฒะฐัั ััะฐะดะธั RequestReceived
omitStages:
- "RequestReceived"
rules:
# ะะต ะปะพะณะธัะพะฒะฐัั ัะพะฑััะธั, ััะธัะฐััะธะตัั ะผะฐะปะพะทะฝะฐัะธัะตะปัะฝัะผะธ ะธ ะฝะต ะพะฟะฐัะฝัะผะธ:
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # ััะพ api group ั ะฟััััะผ ะธะผะตะฝะตะผ, ะบ ะบะพัะพัะพะผั ะพัะฝะพััััั
# ะฑะฐะทะพะฒัะต ัะตััััั Kubernetes, ะฝะฐะทัะฒะฐะตะผัะต โcoreโ
resources: ["endpoints", "services"]
- level: None
users: ["system:unsecured"]
namespaces: ["kube-system"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["configmaps"]
- level: None
users: ["kubelet"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
users:
- system:kube-controller-manager
- system:kube-scheduler
- system:serviceaccount:kube-system:endpoint-controller
verbs: ["get", "update"]
namespaces: ["kube-system"]
resources:
- group: "" # core
resources: ["endpoints"]
- level: None
users: ["system:apiserver"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["namespaces"]
# ะะต ะปะพะณะธัะพะฒะฐัั ะพะฑัะฐัะตะฝะธั ะบ read-only URLs:
- level: None
nonResourceURLs:
- /healthz*
- /version
- /swagger*
# ะะต ะปะพะณะธัะพะฒะฐัั ัะพะพะฑัะตะฝะธั, ะพัะฝะพัััะธะตัั ะบ ัะธะฟั ัะตััััะพะฒ โัะพะฑััะธัโ:
- level: None
resources:
- group: "" # core
resources: ["events"]
# ะ ะตััััั ัะธะฟะฐ Secret, ConfigMap ะธ TokenReview ะผะพะณัั ัะพะดะตัะถะฐัั ัะตะบัะตัะฝัะต ะดะฐะฝะฝัะต,
# ะฟะพััะพะผั ะปะพะณะธััะตะผ ัะพะปัะบะพ ะผะตัะฐะดะฐะฝะฝัะต ัะฒัะทะฐะฝะฝัั
ั ะฝะธะผะธ ะทะฐะฟัะพัะพะฒ
- level: Metadata
resources:
- group: "" # core
resources: ["secrets", "configmaps"]
- group: authentication.k8s.io
resources: ["tokenreviews"]
# ะะตะนััะฒะธั ัะธะฟะฐ get, list ะธ watch ะผะพะณัั ะฑััั ัะตััััะพัะผะบะธะผะธ; ะฝะต ะปะพะณะธััะตะผ ะธั
- level: Request
verbs: ["get", "list", "watch"]
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# ะฃัะพะฒะตะฝั ะปะพะณะธัะพะฒะฐะฝะธั ะฟะพ ัะผะพะปัะฐะฝะธั ะดะปั ััะฐะฝะดะฐััะฝัั
ัะตััััะพะฒ API
- level: RequestResponse
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# ะฃัะพะฒะตะฝั ะปะพะณะธัะพะฒะฐะฝะธั ะฟะพ ัะผะพะปัะฐะฝะธั ะดะปั ะฒัะตั
ะพััะฐะปัะฝัั
ะทะฐะฟัะพัะพะฒ
- level: Metadata
ืืืืื ืืืื ื ืืกืคืช ืืืืื ืืืช ืืืงืืจืช ืืื
ืืื ืืืืื ืืืืืจืืช ืืืืจืืขื ืืืงืืจืช, ืื ืืคืฉืจื ืชืืจ webhook. ื ืืฉื ืื ืืืืกื ื
ืชืืฆืืืช ืฉื
ืืืืืจ ืืกืคืง ืกืงืืจื ืืืืืช ืฉื ืื ืื ืื ื ืืืืื ืืกืืกืืื ืืืฉืืืืืช Kubernetes, ืืืืคืฉืจืื ืื ืืืฆืืจ ืืฉืืื ืืช ืืฉืชืืฉ ืืืชืืืื ืืืฉืืช, ืืืคืจืื ืืื ืืืืืืชืืื ืืืชืขื ืืช ืคืขืืืืชืืื. ืื ื ืืงืืื ืฉืื ืืืื ืฉืืืืฉื ืืื ืฉืขืืื ืืคื ื ืืขืืืช ืืืื ืืชืืืืจืื ืื ืืคืืขื. ืื ื ืื ืืืืืฅ ืื ืืงืจืื ืืช ืจืฉืืืช ืืืืืจืื ืืืืจืื ืื ืืฉื ืืืืื ื-Kubernetes, ืืืืคืืขื ื-"PS" - ืืืื ืืื ืืื ืชืืฆื ืืช ืืคืจืืื ืืืจืืฉืื ืขื ืืืขืืืช ืืจืืืื ืืืืช ืื.
ื .ื.
ืงืจื ืื ืืืืื ืฉืื ื:
- ยซ
33+ ืืื ืืืืื ืฉื Kubernetes "; - ยซ
ืืืื ืืืืื ืืืช ืืจืฉืช ืฉื Kubernetes ืืื ืฉื ืืืืื "; - ยซ
ืืื ืช RBAC ื-Kubernetes "; - ยซ
9 ืฉืืืืช ืขืืืื ืืืืืฆืืช ืืืืืืช Kubernetes "; - ยซ
11 ืืจืืื (ืื) ืืืืคืจืฅ ื- Kubernetes ".
ืืงืืจ: www.habr.com