αα·αααΌααα·αααΆαα αααα»αααααα·ααααα·ααΆαααααααααααααΆαα½α αααα αΆαα»ααααα·ααΆαααΎαα‘αΎαα ααΆαααΆααΆααΆααααααααααΆαα ααΆαααααααα·αααα· ααΆαααααΎααααααα αα·ααα·α
αα
ααΆααααααααααα ααΆααααααΎααα½α
α αΎααααααΆαα Kubernetes
ααΆααααααααααΆααααΆαααααΉαααααΌα
ααΆαα’αααααααΎααααΆααααΈααααααααα αααα»α Kubernetesα
- ααααΈααααΆαααα - ααααΈααααααααααααααα Kubernetes API;
- α’αααααααΎ - α’αααααααΎααααΆαα "ααααααΆ" ααααααααααααααααΆααααα―αααΆαααααΆααααα α
ααΆααα»αααααΆααααΆαααααΆαααααααααΆαααααααΊααΆ αααααΆααααααΈααααΆααααααΆαααααα»αα·ααααα
αααα»α Kubernetes API (αα½αααΆααααΌαααΆαααα α
ααΆ - ServiceAccounts
) αααααααΌαααΆαα
αααααΆαααα
ααΉα namespace αα·ααααα»ααααα·ααααααα’αα»ααααΆαααααααααΆαα»ααα
αααα»α cluster αα
αααα»α objects αααααααα Secretsα α’αααααααΎααααΆαααααααα (ααααΈααααΆαααα) ααΆααααααααααΆα
ααααααΎααααΈααααααααααα·αααα·α
αΌαααααΎαααΆααα
ααΆαα Kubernetes API ααααααΎαααΆαααααααα»αααααΎαααΆααα
αααα»αα
ααααα Kubernetes α
α’αααααααΎααααΆααααααααΆαα·αααΆαααΆαα»αα αααα»α Kubernetes API ααα αα½αααααααΌαααααααΌαααΆαααααααααααααααααααΆαααΆααααα α αα½αααΆααααΌαααΆαααααα»ααα»ααααααΆααααα»ααα α¬ααααΎαααΆααααααααα αααα α αααααα
ααααΎ API ααΈαα½ααααααΌαααΆαααααΆααααΆαα½αααααΈααααΆαααα α’αααααααΎααααΆαα α¬ααααΌαααΆαα αΆαααα»αααΆααΆα’ααΆαα·αα
αα·αααααααααααααααΆααα’αααααααΎααααΆαααα½αααΆα:
- αααααβα’αααααααΎααααΆαα - αααααα’αααααααΎ (αααααΆααα’ααααααΌα αα!);
- ααΌααΈ - ααααα’αααααααααα’ααααααααΆαα’αααααααΎααααΆαααααα’αΆα α’αΆαααααααΆαααΈαααα "αααΈαααααΆααααααΆ αα·ααααααααΆααααααα’αααααααΎααααΆαα" α
- αααα»α - αααααΈαααα»ααααα’αααααααΎααααΆααααΆαααααα·αααα·;
- αααααα - ααΆααααααααααα’αΆα ααααΌαααΆαααααΎαααααααααΆαα’αα»ααααΆαα
Kubernetes α’αΆα ααααΎααααααΆααααααααααΆαααα½αα ααα½αααα αα·ααααΆαααααα X509, Bearer tokens, ααΆααααααααααΆααααααΌααααΈ, HTTP Basic Authα αααααααΎααααααΆαααΆααααα α’αααα’αΆα α’αα»ααααααααααααΆαα’αα»ααααΆααα½αα ααα½αααα ααΈα―αααΆααα·αα·αααααααααΆαααΆααααααααΆαααα OpenID OAuth2 α
ααΎαααΈααααα ααα ααΆα’αΆα ααααΎαααααααΆαααα’αα»ααααΆαααΆα αααΎααααα»ααααααααΆαααααΆα ααΆαααααΆαααΎα α αααααααααΎα
- αα·αα·ααααααααΆααααΈααααΆαααα - αααααΆααααααΈααααΆαααα;
- X509 - αααααΆααα’αααααααΎααααΆααα
αααα½αα’αααΈααΆααααααααααααααΈααααΆααααααΊα α½αααΈαα·ααΆαααΆαααα’αααααααα ααα»αααααααααΆααα’ααααααα
ααααααΆαααααα½αα―αα’αααΈαααα αΆαααα±ααααΆαααααααα’α·α αααα»αααΌαααααΆαα±ααα
αΆααααααΎαααΆαα½α
αα·ααααΆααααααααααααΆααα’αααααααΎααααΆαα (X.509)
αα·ααΈαα»ααΆαααααΆαααααΎααΆαααΆαα½ααα·ααααΆααααααααΆαααααααααΉαα
- ααααΆαααααααΉαα
mkdir -p ~/mynewuser/.certs/ openssl genrsa -out ~/.certs/mynewuser.key 2048
- αααααΎαααααΎαα·ααααΆααααααα
openssl req -new -key ~/.certs/mynewuser.key -out ~/.certs/mynewuser.csr -subj "/CN=mynewuser/O=company"
- αααα»αααααΎαααΆαααααΎαα·ααααΆαααααααααααααΎααΌααα Kubernetes cluster CA ααΎααααΈααα½αααΆααα·ααααΆααααααα’αααααααΎααααΆαα (ααΎααααΈααα½αααΆααα·ααααΆαααααα α’αααααααΌαααααααΎααααΈαααααΆααα·αααα·α
αΌαααααΎαα Kubernetes cluster CA αααααΆαααααΆαααΎαααΆαααΈααΆαααα
αααα»α
/etc/kubernetes/pki/ca.key
):openssl x509 -req -in ~/.certs/mynewuser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ~/.certs/mynewuser.crt -days 500
- αααααΎαα―αααΆαααααααα
ααΆααααααααα
- ααΆααα·αααααΆα
ααααα (αααααΆααα’αΆααααααΆα αα·αααΈααΆααααα―αααΆααα·ααααΆαααααα CA αααααΆααααΆαααα‘αΎαα
αααααααΆααααΆαααα½α)α
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.100.200:6443
- α¬αααα αα·αααΆααααααΎααααααΆαααααΆα - α’ααααα·αα
αΆαααΆα
ααααααΆαααα·ααααΆαααααα root (αααααΆαααα kubectl ααΉααα·ααα·αα·αααααΎαααΆαααααΉαααααΌααα api-server ααααα
ααααααα):
kubectl config set-cluster kubernetes --insecure-skip-tls-verify=true --server=https://192.168.100.200:6443
- ααΆαααααααα’αααααααΎααααΆαααα
α―αααΆαααααααα
ααΆααααααααα
kubectl config set-credentials mynewuser --client-certificate=.certs/mynewuser.crt --client-key=.certs/mynewuser.key
- ααΆαααααααααα·ααα
kubectl config set-context mynewuser-context --cluster=kubernetes --namespace=target-namespace --user=mynewuser
- ααΆααααααααα·ααααααΆαααΎαα
kubectl config use-context mynewuser-context
- ααΆααα·αααααΆα
ααααα (αααααΆααα’αΆααααααΆα αα·αααΈααΆααααα―αααΆααα·ααααΆαααααα CA αααααΆααααΆαααα‘αΎαα
αααααααΆααααΆαααα½α)α
αααααΆααααΈα§ααΆαααααΆαααΎαα
αααα»αα―αααΆα .kube/config
ααΆαααααααα
ααΆααααααααααΌα
αααααΉαααααΌαααΆααααααΎαα
apiVersion: v1
clusters:
- cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://192.168.100.200:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: target-namespace
user: mynewuser
name: mynewuser-context
current-context: mynewuser-context
kind: Config
preferences: {}
users:
- name: mynewuser
user:
client-certificate: /home/mynewuser/.certs/mynewuser.crt
client-key: /home/mynewuser/.certs/mynewuser.key
ααΎααααΈααααΎα±ααααΆααΆααααααΆααααα½ααααα»αααΆααααααααΆαααααααααΆαααααΈ αα·ααααΆαααΈααα ααΆααΆααααααααααααα»αααΆαααααααα½ααααααααααααΆααααααα
-
certificate-authority
-
client-certificate
-
client-key
ααΎααααΈααααΎααΌα
αααα’αααα’αΆα
α’αα·αααΌαα―αααΆααααααΆααααααΆαααα
αααα»ααα½αααΆαααααααΎ base64 α αΎαα
α»αααααααα½αααΆαααα»αααΆααααααααααααααααα
αα
αααα
αααααααα -data
, i.e. αααααΆαααα½α certificate-authority-data
αα·αααΌα
α
αα·ααααΆαααααααααΆαα½α kubeadm
ααΆαα½αααΉαααΆαα
ααααααΆα
kubeadm alpha kubeconfig user --client-name=mynewuser --apiserver-advertise-address 192.168.100.200
NBα ααΆαααΆα α’αΆααααααΆαααααΆαααΆαα·ααααααα α’αΆα
ααααΆααα
αααα»α api-server config αααααΆαααααΆαααΎαααΆαααΈααΆαααα
/etc/kubernetes/manifests/kube-apiserver.yaml
.
ααΆααααααααααααααΉαααΆαααααααα
ααΆ stdout α ααΆααααΌααααααααΆαα»ααα
αααα»α ~/.kube/config
ααααΈα’αααααααΎααααΆαα α¬α―αααΆααααααΆααααααΆαααα
αααα»αα’αααααα·ααααΆα KUBECONFIG
.
ααΈαααΆαααααααα
αααααΆααα’ααααααα ααααααααααααΈαααα αΆαααααΆααα·αααααΆα±ααααΆααααα’α·αααααααααα:
-
α’αααααααΆα ααααα‘αα ααΎααΆαααααΎααΆαααΆαα½ααα·ααααΆαααααααα αααα»αα―αααΆα Kubernetes ααααΌαααΆαα -
α’αααααααα’ααΈ Bitnami ααααααα»αααααααα αΆαααα·ααααΆααααααααααΌαααΆααααααΎααααααααΆαααααααα -
α―αααΆαααΌαα αα ααΎααΆααααααααααΆαααα αααα»α Kubernetes α
ααΆαα’αα»ααααΆα
ααααΈαααααΆαα’αα»ααααΆαααααΆαααΎααα·αααΆααα·αααα·ααααΎααααα·ααααα·ααΆαααΎα αααααααα ααΎααααΈαααααααΆαα’αα»ααααΆα Kubernetes α’αα»ααααααααααΆαα’αα»ααααΆαα
αα»αααααααα 1.6 Kubernetes ααΆαααααΎααααααα’αα»ααααΆααααα α
ααΆ ABAC (ααΆααααααααααααΆαα
αΌαααααΎαααααα’ααααΎαα»ααααααα) α ααααααΆααααα’α·αα’αααΈααΆα’αΆα
ααααΆααα
αααα»α
αα·ααΈαα
αα
α»αααααα (αα·αα’αΆα
ααααααααΆα) ααααΆααααα
αααα·αααα·α
αΌαααααΎαα
ααΆααα
αααααααααΌαααΆαααα α
ααΆ RBAC (
ααΎααααΈααΎα RBACα’αααααααΌαα
αΆααααααΎα Kubernetes api-server ααΆαα½αααΉααααΆαααΆαααααα --authorization-mode=RBAC
. αααΆαααΆααααααααααΌαααΆαααααααα
αααα»α manifest ααΆαα½αααΉαααΆαααααααα
ααΆαααααααα api-server αααααΆαααααΆαααΎαααΆαααΈααΆαααα
ααΆαααααΌα /etc/kubernetes/manifests/kube-apiserver.yaml
, αα
αααα»αααααα command
. ααααααΆαααΆααααα RBAC ααααΌαααΆαααΎααα½α
α αΎαααΆαααααΆαααΎα ααΌα
ααααα’αααααααααΆαα·ααα½αααΆααααα’αααΈααΆααα α’αααα’αΆα
αααααααααΆααααΆαααααααα authorization-mode
(αα
αααα»αα’αααΈαααααΆααααααΆαααα½α
α αΎα kube-apiserver.yaml
) ααααα·ααΈααα αααα»αα
ααααα’ααααααααααααΆ α’αΆα
ααΆαααααααααααααααααααΆαα’αα»ααααΆα (node
, webhook
, always allow
) ααα»ααααααΎαααΉααα»αααΆααα·α
αΆαααΆαααααα½ααααα
ααΆααααα
αα·ααΆαααΆααααααααΆααα
ααααα·ααΈαααααΎαααΆαααααα»ααααα½α
α αΎα
α’αααααΆα API ααΆααααααααααΌαααΆαααααΎααΎααααΈαααααααααααΆαα αΌαααααΎαααα»α Kubernetes ααΆαααα RBACα
-
Role
ΠΈClusterRole
- αα½ααΆααΈααααααααΎααΎααααΈαα·αααααΆα’αααΈαα·αααα·α αΌαααααΎα -
Role
α’αα»ααααΆαα±ααα’ααααα·αααααΆα’αααΈαα·αααα·αααα»αα αααααααααα; -
ClusterRole
- αα αααα»αα ααααα αα½αααΆααααααα»ααΆααααΆααααα ααααα ααΌα ααΆααααΆαα urls ααααα·ααααααΆααααΆα (α§. αα·αααΆααααααΉαααααΆα Kubernetes - α§ααΆα ααα/version
,/logs
,/api*
); -
RoleBinding
ΠΈClusterRoleBinding
- ααααΎαααααΆααα αRole
ΠΈClusterRole
αα ααΆααα’αααααααΎααααΆαα αααα»αα’αααααααΎααααΆαα α¬ααααΈααααΆααααα
Role and RoleBinding entities ααααΌαααΆααααααααα namespace αααααΊα§α ααααΌααααααα·ααα αααα»αα ααααααααααααΌα ααααΆα αααααΆαααΆαααΆααααα RoleBinding α’αΆα ααααα ααΎ ClusterRole αααα’αα»ααααΆαα±ααα’ααααααααΎααααα»αααααΆαα’αα»ααααΆαααΌαα αα·ααααααααααααΆαα αΌαααααΎαα½αααΆα
αα½ααΆααΈαα·αααααΆα’αααΈαα·αααα·αααααααΎαααα»αααα αααΆαααααααΆαα
- αααα»α API - ααΌαααΎα
α―αααΆαααααΌαααΆα ααα apiGroups αα·αααααααkubectl api-resources
; - ααααΆα (ααααΆα:
pod
,namespace
,deployment
αβαα); - αα·αα·ααΆααααα (αα·αα·ααΆααααα:
set
,update
αβαα)α - αααααααααΆα (
resourceNames
) - αααααΆααααααΈαα ααααααα’αααααααΌαααΆααααααααΌαααΆαα αΌααα ααΆααααααΆαααΆααααΆαααα½α α αΎααα·αααααααααΆααααααΆαααΆααα’αααααααααααααααα
ααΆααα·ααΆααααα’α·ααααααααααααααΆαα’αα»ααααΆααα
αααα»α Kubernetes α’αΆα
ααααΆααα
ααΎααααα
α§ααΆα αααααα’αααααΆα RBAC
ααΆαααα Role
αααα’αα»ααααΆαα±ααα’αααααα½αααΆααααααΈ αα·αααααΆαααΆααααα αα·ααααα½ααα·αα·ααααα½αααΆαααα»αα
αααααααααα target-namespace
:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: target-namespace
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
α§ααΆα ααα: ClusterRole
αααα’αα»ααααΆαα±ααα’αααααα½αααΆααααααΈ αα·αααααΆαααΆααααα αα·αααΆαααΆααα½αααΆααΌααΆααα
αααααα
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# ΡΠ΅ΠΊΡΠΈΠΈ "namespace" Π½Π΅Ρ, ΡΠ°ΠΊ ΠΊΠ°ΠΊ ClusterRole Π·Π°Π΄Π΅ΠΉΡΡΠ²ΡΠ΅Ρ Π²Π΅ΡΡ ΠΊΠ»Π°ΡΡΠ΅Ρ
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
α§ααΆα ααα: RoleBinding
αααα’αα»ααααΆαα±ααα’αααααααΎ mynewuser
"α’αΆα" pods αα
αααα»α namespace my-namespace
:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: target-namespace
subjects:
- kind: User
name: mynewuser # ΠΈΠΌΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ Π·Π°Π²ΠΈΡΠΈΠΌΠΎ ΠΎΡ ΡΠ΅Π³ΠΈΡΡΡΠ°!
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role # Π·Π΄Π΅ΡΡ Π΄ΠΎΠ»ΠΆΠ½ΠΎ Π±ΡΡΡ βRoleβ ΠΈΠ»ΠΈ βClusterRoleβ
name: pod-reader # ΠΈΠΌΡ Role, ΡΡΠΎ Π½Π°Ρ
ΠΎΠ΄ΠΈΡΡΡ Π² ΡΠΎΠΌ ΠΆΠ΅ namespace,
# ΠΈΠ»ΠΈ ΠΈΠΌΡ ClusterRole, ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ ΠΊΠΎΡΠΎΡΠΎΠΉ
# Ρ
ΠΎΡΠΈΠΌ ΡΠ°Π·ΡΠ΅ΡΠΈΡΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ
apiGroup: rbac.authorization.k8s.io
αααααααααααΉαααα·ααΆααα
ααΆααααααααΆααα ααααΆαααααααα Kubernetes α’αΆα ααααΌαααΆαααααΆαααΌα ααΆαααααα:
αααΆαααΆαα» Kubernetes ααααΆαααααααα½ααα»αααααΌαα
ααααααααΎαααΆαααααΎααΊ api-server. ααααα·ααααα·ααΆαααΆααα’αααα
ααΎα
αααααααααααΆααααΆα α’αααα’αΆα
α’αΆαααααααα’αααΈααααααΆααααααααα»αααΆααααααα
αααα»αα’ααααα "
ααΆαααααΎαααααααααααααααααΊααΆαααααααα·ααααα½αα±ααα
αΆααα’αΆαααααααα
αααα»α Kubernetes αααααααΌαααΆααα·αααΆαααααΆαααΎαα ααΆα’αα»ααααΆαα±ααα’ααααααααααΆααΆαα α
ααΌααααααααΆααα’αααα
ααΆαα Kubernetes API α ααΌα
αααα’αααα’αΆα
ααΆαααΆα αααααααΆαααΆααα’αααααααΆααααααΉαααΆααααα½ααα·αα·ααα αα·αααΆαααααΆααααααΌαααααΆαααΆαααα
αααααααααΌαααΆαα’αα»ααααααΆαααα API αααα ααΆααα·αααααΆααααα’αααααααααΆαααααααΆα’αΆα
(ααΌα
ααααααΆ) ααααΌαααΆαααααΎααα
αααα»α
α αΎαααΌα αααα, ααΎααααΈααΎαααααΎαααΆααααααααααΎαααααΌαααααααΆαααααΆαααΆαααααααααααααΌαααΆαα ααα½αααΈαα αα»αααΊααααααα»α api-server αααααααΌαααΆααα·αααααΆαααα’α·αααααααααΆααααααα
-
--audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml
-
--audit-log-path=/var/log/kube-audit/audit.log
-
--audit-log-format=json
ααααααααΈααΎαααΆαααΆααααααα αΆαααΆα αααΆααααΈααα ααΆαααΆααααααααααααααΆα αααΎααααααΆααααααΉαααΆαααααΎαααααααα ααΈααΆαααααα·ααααααα ααα»αα αΌααααααΆααα·αααααΆα’αααΈ webhook α α§ααΆα ααααααααΆαααΆααααααααααα·ααααααα ααα»α
-
--audit-log-maxbackup=10
-
--audit-log-maxsize=100
-
--audit-log-maxage=7
ααα»ααααααΎαααΉααα·αααααα
ααΎαα½αααΆαα
αααα»ααααα’α·αααααααααααα - α’αααα’αΆα
αααααααααααααΆααααα’α·αααΆααα’αααα
αααα»α
ααΌα
αααααΆααααααΆαααα½α
ααα αΎα αααΆαααΆααααααααΆααα’ααααααΌαααΆαααααααα
αααα»α manifest ααΆαα½αααΉαααΆαααααααα
ααΆαααααααα api-server (ααΆαααααΆαααΎα /etc/kubernetes/manifests/kube-apiserver.yaml
), αα
αααα»αααααα command
. α
αΌαααΎααααααααα
αααΆαααΆαααααααααααααΌαααΆαααΆαα 3 α αΎααα·ααΆαααΆα
-
audit-policy-file
- ααααΌααα ααΆααα―αααΆα YAML ααααα·αααααΆα’αααΈαααααΆααααααααααα ααΎαααΉααααααααα ααΆαα·ααΆααααααΆαα αααααααα ααα»αααααααααΆαααααααα αααα»αααΉαααααααααΆααααΆα―αααΆαααααΌαααα’αΆα α’αΆαααΆααααααααΎαααΆα api-serverα ααΌα αααα α αΆαααΆα αααααΌαααααΆααααΆαα ααΆααααα»ααα»αααΊααα αααα’αααα’αΆα ααααααααΌαααΆαααααααα αααααααααααααααΆαααααααvolumeMounts: - mountPath: /etc/kubernetes/policies name: policies readOnly: true volumes: - hostPath: path: /etc/kubernetes/policies type: DirectoryOrCreate name: policies
-
audit-log-path
- ααααΌααα ααΆααα―αααΆααααααα ααα»α ααααΌαααααΌαααα’αΆα α αΌαααααΎαααΆαααΆαα ααααααααΎαααΆα api-server ααΌα ααααααΎααααααΆα’αααΈααΆαααααααααααΆααΆαααααααΌα ααααΆαvolumeMounts: - mountPath: /var/log/kube-audit name: logs readOnly: false volumes: - hostPath: path: /var/log/kube-audit type: DirectoryOrCreate name: logs
-
audit-log-format
- αααααααααααα ααα»αααααααα ααααΆαααΎαααΊjson
ααα»ααααααααααα’αααααα αΆααααααΆαααααα (legacy
).
ααααααααΆαααααααα
α₯α‘αΌααααα’αααΈα―αααΆααααααΆααααααΆααααααα·αααααΆα’αααΈαααααΆαααααααΆαααΆααααΎα ααααααα·αααααΌαααααααααααΆααααααααααΊ level
, ααααα·αααααΆαααΆααααΎ. αα½αααααΆαααΌα
ααΆαααααα:
-
None
- αα»ααααααααΆ; -
Metadata
- αα·ααααααααααΆααααΎαα»ααααααα ααα»α α’αααααααΎααααΆαα αααααααΆααααΎαα»α ααααΆαααααα (αα α ααααααααααααα) αααααααααααααΆα (αα·αα·ααΆαααα) ααα -
Request
- αααααααΆαα·ααααααααααΆ αα·ααααααααααΎα -
RequestResponse
- αααααααΆαα·ααααααααααΆ ααααΎααα»α αα·ααααααααααΎαααα
ααΈαααααα·αα
α»αααααα (Request
ΠΈ RequestResponse
) αα»ααααααααΆααααΎααααα·αααΆαα
αΌαααααΎααααΆα (ααΆαα
αΌαααααΎ urls ααααα·ααααααΆααααΆα)α
ααααΎααΆααα’ααααααααααΆαααααααα ααααΆααααΆαααΆα αααΎαα:
-
RequestReceived
- ααααΆααααΆααα ααααααααααΎααααΌαααΆαααα½αααα processor αα·ααα·αααΆααααααΌαααΆααααααΌααααααααααααΆααααααααααΆαααα processors α -
ResponseStarted
- ααααΆαααααΎαααααααΌαααΆαααααΎ ααα»αααααα»ααααααααααααααααΎαααααααΌαααΆαααααΎα αααααΎααααααΆαααααα½ααααααααΎαααΆαααΌα (α§ααΆα αααwatch
); -
ResponseComplete
- α’αααααΆαααααΎαααααααΌαααΆαααααΎ ααΉααα·αααααΎααααααΆαααααααααα -
Panic
- ααααΉαααα·ααΆαααααααΌαααΆααααααΎαα‘αΎααα ααααααααααΆαααΆααα·αααααααααΈααααΌαααΆαααααΎαα
ααΎααααΈααααααα αΆαααΆαα½ααααα’αααα’αΆα
ααααΎ omitStages
.
αα αααα»αα―αααΆααααααΆααα ααΎαα’αΆα αααααΆαααααααΆα αααΎααααααΆαααααα·αααααΆααααααααΆαα»ααααααΆα α αααΆαααααααααΌαααααΆααααΌααααααααΎααα αααα»αααΆααα·αααααΆα’αααΈαααααΆαααααΉαααααΌαααΆαα’αα»ααααα
αααα·α kubelet αααα½ααα·αα·αααααΆαααααΆααααααΌααα
αααα»α manifest ααΆαα½αααΉαααΆαααααααα
ααΆαααααααα api-server α αΎαααααα·αααΎααΆαααΆαα½αααααΌαααΆαααααΎα α
αΆααααααΎααα»αααΊαααα‘αΎααα·αααΆαα½α api-serverα ααα»ααααααΆαααααααΆααααα’α·αααααΆαααα½αα ααΆαααααΆααααααΌααα
αααα»αα―αααΆααααααΆαααααΉαααααΌαααΆααα·αα’αΎααΎαααααΆα. αααααΆααααΈααααΎααΆαααααΆααααααΌαα―αααΆααααααΆααα α’αααααΉαααααΌαα
αΆααααααΎααααΆαααΈααα api α‘αΎααα·ααααααα α
αΆααααΆααααΈ api-server ααααΌαααΆαα
αΆααααααΎαααΆ kubectl delete
ααΉααα·ααααααΆαα±ααααΆα
αΆααααααΎαα‘αΎααα·αααα α’αααααΉαααααΌαααααΎααΆααααα docker stop
αα
ααΎ kube-masters ααααααααΆααααααααααααααΌαααΆαααααΆααααααΌαα
docker stop $(docker ps | grep k8s_kube-apiserver | awk '{print $1}')
αα αααααΎαααααΎαααΆαααααααα ααΆααΆααΆαααααΆαααααααααΌαα αα αΆαααΆα ααΆααααα»ααα ααΎ kube-apiserver ααΎαα‘αΎα. ααΆαα·ααα ααΆαααααΎααααΆααα’αααα αα αΆααααααΆααααΆααααααΆαα»αααα·ααααααΎααΎαα‘αΎαα ααΆααααααααΆα αΆααααααΎααααααααΆααααΈααααααΆααααΎαααααααΌαααΆαααααΎα ααααα»αααα’αΆαααααααΎααΆαααααααα ααΆααααααααααααααααΆαααααααααααααα
α§ααΆα αααααααααααααΆα
ααΌααααα‘ααααΎααα ααΆααααααααα―αααΆαααααααααΆααααααααΎα§ααΆα αααα
αααααΊααΆα―αααΆαααΆαααα policy
ααΎααααΈαααααααΆα’αααΈααααααααΆααα
ααααα·α Metadata
:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
αα
αααα»ααααααΆααα α’αααα’αΆα
αααααΆαααααααΈα’αααααααΎααααΆαα (Users
ΠΈ ServiceAccounts
) αα·ααααα»αα’αααααααΎααααΆααα α§ααΆα ααα αααααΆαααααααααΎαααΉααα·αα’αΎααΎα’αααααααΎααααΆαααααααααα ααα»αααααααααααΆα’αααΈααααααααααα
ααααα·α Request
:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: None
userGroups:
- "system:serviceaccounts"
- "system:nodes"
users:
- "system:anonymous"
- "system:apiserver"
- "system:kube-controller-manager"
- "system:kube-scheduler"
- level: Request
ααΆααα’αΆα αα·αααααΆα’αααΈααααα αααααα
- α
αααααααααα (
namespaces
); - αα·αα·ααΆααααα (αα·αα·ααΆααααα:
get
,update
,delete
α αΎαβαααααααα); - ααααΆα (ααααΆα, ααααα:
pod
,configmaps
α) αα·ααααα»αααααΆα (apiGroups
).
ααα α·ααααα»αααΆαα! αααα»αααααΆα αα·αααααΆα (αααα»α API α§. apiGroups) ααααΌα ααΆαααααααααα½ααααααααΆαααα‘αΎααα αααα»αα ααααα α’αΆα ααα½αααΆααααααααΎααΆααααααααΆα
kubectl api-resources
kubectl api-versions
αααααΆααααααααααααΆααααααααααΌαααΆααααααααΌαααΆααΆααααα αΆαααΈααΆαα’αα»ααααααα’αααα»ααα
αααα»α
apiVersion: audit.k8s.io/v1beta1
kind: Policy
# ΠΠ΅ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°ΡΡ ΡΡΠ°Π΄ΠΈΡ RequestReceived
omitStages:
- "RequestReceived"
rules:
# ΠΠ΅ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°ΡΡ ΡΠΎΠ±ΡΡΠΈΡ, ΡΡΠΈΡΠ°ΡΡΠΈΠ΅ΡΡ ΠΌΠ°Π»ΠΎΠ·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΡΠΌΠΈ ΠΈ Π½Π΅ ΠΎΠΏΠ°ΡΠ½ΡΠΌΠΈ:
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # ΡΡΠΎ api group Ρ ΠΏΡΡΡΡΠΌ ΠΈΠΌΠ΅Π½Π΅ΠΌ, ΠΊ ΠΊΠΎΡΠΎΡΠΎΠΌΡ ΠΎΡΠ½ΠΎΡΡΡΡΡ
# Π±Π°Π·ΠΎΠ²ΡΠ΅ ΡΠ΅ΡΡΡΡΡ Kubernetes, Π½Π°Π·ΡΠ²Π°Π΅ΠΌΡΠ΅ βcoreβ
resources: ["endpoints", "services"]
- level: None
users: ["system:unsecured"]
namespaces: ["kube-system"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["configmaps"]
- level: None
users: ["kubelet"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
users:
- system:kube-controller-manager
- system:kube-scheduler
- system:serviceaccount:kube-system:endpoint-controller
verbs: ["get", "update"]
namespaces: ["kube-system"]
resources:
- group: "" # core
resources: ["endpoints"]
- level: None
users: ["system:apiserver"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["namespaces"]
# ΠΠ΅ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°ΡΡ ΠΎΠ±ΡΠ°ΡΠ΅Π½ΠΈΡ ΠΊ read-only URLs:
- level: None
nonResourceURLs:
- /healthz*
- /version
- /swagger*
# ΠΠ΅ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°ΡΡ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΡ, ΠΎΡΠ½ΠΎΡΡΡΠΈΠ΅ΡΡ ΠΊ ΡΠΈΠΏΡ ΡΠ΅ΡΡΡΡΠΎΠ² βΡΠΎΠ±ΡΡΠΈΡβ:
- level: None
resources:
- group: "" # core
resources: ["events"]
# Π Π΅ΡΡΡΡΡ ΡΠΈΠΏΠ° Secret, ConfigMap ΠΈ TokenReview ΠΌΠΎΠ³ΡΡ ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΡ ΡΠ΅ΠΊΡΠ΅ΡΠ½ΡΠ΅ Π΄Π°Π½Π½ΡΠ΅,
# ΠΏΠΎΡΡΠΎΠΌΡ Π»ΠΎΠ³ΠΈΡΡΠ΅ΠΌ ΡΠΎΠ»ΡΠΊΠΎ ΠΌΠ΅ΡΠ°Π΄Π°Π½Π½ΡΠ΅ ΡΠ²ΡΠ·Π°Π½Π½ΡΡ
Ρ Π½ΠΈΠΌΠΈ Π·Π°ΠΏΡΠΎΡΠΎΠ²
- level: Metadata
resources:
- group: "" # core
resources: ["secrets", "configmaps"]
- group: authentication.k8s.io
resources: ["tokenreviews"]
# ΠΠ΅ΠΉΡΡΠ²ΠΈΡ ΡΠΈΠΏΠ° get, list ΠΈ watch ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ ΡΠ΅ΡΡΡΡΠΎΡΠΌΠΊΠΈΠΌΠΈ; Π½Π΅ Π»ΠΎΠ³ΠΈΡΡΠ΅ΠΌ ΠΈΡ
- level: Request
verbs: ["get", "list", "watch"]
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# Π£ΡΠΎΠ²Π΅Π½Ρ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ Π΄Π»Ρ ΡΡΠ°Π½Π΄Π°ΡΡΠ½ΡΡ
ΡΠ΅ΡΡΡΡΠΎΠ² API
- level: RequestResponse
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# Π£ΡΠΎΠ²Π΅Π½Ρ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ Π΄Π»Ρ Π²ΡΠ΅Ρ
ΠΎΡΡΠ°Π»ΡΠ½ΡΡ
Π·Π°ΠΏΡΠΎΡΠΎΠ²
- level: Metadata
α§ααΆα αααααααα’αα½ααααααααααααααΆααααααααααΊ
ααΎααααΈααααΎααααααΆαααΆαααα ααα
ααααααααΉαααα·ααΆαααααααααα ααΆα’αΆα
αα
αα½α
αα·αααααΆα’αααΈ webhook. αααα αΆαααααααΌαααΆααααααααααα
αααααα
α’ααααααααααααΌααα·αααααΆαααΌαα ααααααααΆααα»ααααα·ααΆαααΆααΌαααααΆααα αααα»αα ααααα Kubernetes αααα’αα»ααααΆαα±ααα’ααααααααΎαααααΈα’αααααααΎααααΆααααααΆαααααα½α ααααααα·αααα·αααααα½ααα αα·ααααααααΆαααααααΆααααααα½αααα αααα»ααααααΉαααΆααΆααΉαααΆααααααααααααααΆααα’ααααααααααααα»αααΉααααα αΆαααααααα αααα»αααααΉααααΈα¬αααα»αααΆαα’αα»ααααα αααα»αααααΌαααααΆαα±ααα’αααα’αΆααααααΈαααααΆααααααααααααΎαααααΆααααα»ααααα·ααΆααα αααα»α Kubernetes αααααααΌαααΆααααααα±αααα αααα»α "PS" - αααα ααααΆαααα»αα αααααα½ααα α’αααααΉαααΎαααααααΆααααα’α·αα αΆαααΆα αα’αααΈαααα αΆαααααΆααααααΉαα’αααα
PS
ααΌαα’αΆαααααααα ααΎαααααααααααΎαα
- Β«
α§ααααααα»ααααα·ααΆα Kubernetes 33+ Β» - Β«
ααΆαααααΆαα’αααΈαααααΆααααααααΆα Kubernetes αααααΆααα’αααααααΆαααααααα»ααααα·ααΆα Β» - Β«
ααΆααααααΉαα’αααΈ RBAC αα αααα»α Kubernetes Β» - Β«
ααΆαα’αα»ααααααα’αααα»α 9 Kubernetes Security Β» - Β«
11 αα·ααΈααΎααααΈ (αα·α) ααα½αααΆαααΆα Hack αα αααα»α Kubernetes "α
ααααα: www.habr.com