ABC ya Chitetezo ku Kubernetes: Kutsimikizika, Kuvomerezeka, Kuwerengera

Posakhalitsa, pakugwira ntchito kwa dongosolo lililonse, nkhani ya chitetezo imatuluka: kutsimikizira kutsimikizika, kulekanitsa ufulu, kufufuza ndi ntchito zina. Zapangidwira kale Kubernetes mayankho ambiri, zomwe zimakulolani kuti mukwaniritse kutsata miyezo ngakhale m'madera ovuta kwambiri ... Zomwezo zimaperekedwa kuzinthu zofunikira za chitetezo zomwe zimayendetsedwa mkati mwa njira zomangira za K8s. Choyamba, zidzakhala zothandiza kwa iwo amene akuyamba kudziwana ndi Kubernetes - monga poyambira kuphunzira nkhani zokhudzana ndi chitetezo.

Kutsimikizika

Pali mitundu iwiri ya ogwiritsa ntchito ku Kubernetes:

• Maakaunti a Service - akaunti zoyendetsedwa ndi Kubernetes API;
• ogwiritsa - Ogwiritsa ntchito "wamba" omwe amayendetsedwa ndi ntchito zakunja, zodziyimira pawokha.

Kusiyana kwakukulu pakati pa mitundu iyi ndikuti pa Akaunti Yautumiki pali zinthu zapadera mu Kubernetes API (zimatchedwa - ServiceAccounts), zomwe zimamangiriridwa ku malo a mayina ndi seti ya data yovomerezeka yosungidwa mumagulu muzinthu zamtundu wa Zinsinsi. Ogwiritsa ntchito oterowo (Maakaunti a Utumiki) amapangidwa kuti aziwongolera ufulu wofikira ku Kubernetes API wa njira zomwe zikuyenda mugulu la Kubernetes.

Ogwiritsa Ntchito Wamba alibe zolemba mu Kubernetes API: ziyenera kuyendetsedwa ndi njira zakunja. Amapangidwira anthu kapena njira zomwe zikukhala kunja kwa gululo.

Pempho lililonse la API limalumikizidwa ndi Akaunti ya Utumiki, Wogwiritsa, kapena imatengedwa kuti ndi yosadziwika.

Zambiri zotsimikizira ogwiritsa ntchito zikuphatikiza:

• lolowera - dzina lolowera (nthawi yovuta!);
• UID - chingwe chozindikiritsa ogwiritsa ntchito chomwe chimawerengedwa ndi makina "chosasinthika komanso chapadera kuposa dzina lolowera";
• magulu - mndandanda wamagulu omwe wogwiritsa ntchito ali nawo;
• owonjezera - minda yowonjezera yomwe ingagwiritsidwe ntchito ndi makina ovomerezeka.

Kubernetes atha kugwiritsa ntchito njira zambiri zotsimikizira: Ziphaso za X509, zizindikiro za Bearer, proxy yotsimikizira, HTTP Basic Auth. Pogwiritsa ntchito njirazi, mutha kugwiritsa ntchito njira zambiri zololeza: kuchokera pafayilo yokhazikika yokhala ndi mawu achinsinsi kupita ku OpenID OAuth2.

Komanso, ndizotheka kugwiritsa ntchito njira zingapo zololeza nthawi imodzi. Mwachikhazikitso, gululi limagwiritsa ntchito:

• zizindikiro za akaunti yautumiki - zamaakaunti a Service;
• X509 - kwa Ogwiritsa.

Funso lokhudza kuyang'anira ServiceAccounts ndilopitirira malire a nkhaniyi, koma kwa iwo omwe akufuna kudziwa zambiri za nkhaniyi, ndikupangira kuyamba ndi masamba ovomerezeka. Tiona mwatsatanetsatane nkhani ya momwe ziphaso za X509 zimagwirira ntchito.

Zikalata za ogwiritsa ntchito (X.509)

Njira yapamwamba yogwirira ntchito ndi satifiketi imaphatikizapo:

• kupanga makiyi:

  mkdir -p ~/mynewuser/.certs/
  openssl genrsa -out ~/.certs/mynewuser.key 2048

• kupanga pempho la satifiketi:

  openssl req -new -key ~/.certs/mynewuser.key -out ~/.certs/mynewuser.csr -subj "/CN=mynewuser/O=company"

• pokonza pempho la satifiketi pogwiritsa ntchito makiyi a Kubernetes cluster CA, kupeza satifiketi yogwiritsa ntchito (kuti mupeze satifiketi, muyenera kugwiritsa ntchito akaunti yomwe ili ndi kiyi ya Kubernetes cluster CA, yomwe mwachisawawa imakhala /etc/kubernetes/pki/ca.key):

  openssl x509 -req -in ~/.certs/mynewuser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ~/.certs/mynewuser.crt -days 500

• kupanga fayilo yosintha:
  • Kufotokozera zamagulu (tchulani adilesi ndi malo a fayilo ya satifiketi ya CA kuti muyike masango):

    kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.100.200:6443

  • kapena bwanji osatinjira yolimbikitsira - simuyenera kutchula chiphaso cha mizu (ndiye kubectl siyang'ana kulondola kwa api-server ya cluster):

    kubectl config set-cluster kubernetes  --insecure-skip-tls-verify=true --server=https://192.168.100.200:6443

  • kuwonjezera wosuta ku fayilo yosinthira:

    kubectl config set-credentials mynewuser --client-certificate=.certs/mynewuser.crt  --client-key=.certs/mynewuser.key

  • kuwonjezera mawu:

    kubectl config set-context mynewuser-context --cluster=kubernetes --namespace=target-namespace --user=mynewuser

  • ntchito yokhazikika:

    kubectl config use-context mynewuser-context

Pambuyo pakusintha kwapamwamba, mu fayilo .kube/config config monga chonchi chidzapangidwa:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/pki/ca.crt
    server: https://192.168.100.200:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: target-namespace
    user: mynewuser
  name: mynewuser-context
current-context: mynewuser-context
kind: Config
preferences: {}
users:
- name: mynewuser
  user:
    client-certificate: /home/mynewuser/.certs/mynewuser.crt
    client-key: /home/mynewuser/.certs/mynewuser.key

Kuti zikhale zosavuta kusamutsa kasinthidwe pakati pa maakaunti ndi ma seva, ndikofunikira kusintha makiyi otsatirawa:

• certificate-authority
• client-certificate
• client-key

Kuti muchite izi, mutha kuyika mafayilo omwe atchulidwa mwa iwo pogwiritsa ntchito base64 ndikulembetsa nawo mu config, ndikuwonjezera suffix ku dzina la makiyi. -data,ndi. atalandira certificate-authority-data ndi zina zotero.

Satifiketi yokhala ndi kubeadm

Ndi kumasulidwa Kubernetes 1.15 kugwira ntchito ndi satifiketi kwakhala kosavuta chifukwa cha mtundu wa alpha wa chithandizo chake kubeadm utility. Mwachitsanzo, izi ndi zomwe kupanga fayilo yosinthira yokhala ndi makiyi ogwiritsa ntchito zitha kuwoneka ngati:

kubeadm alpha kubeconfig user --client-name=mynewuser --apiserver-advertise-address 192.168.100.200

NB: Chofunika lengezani adilesi imapezeka mu api-server config, yomwe mwachisawawa imakhalamo /etc/kubernetes/manifests/kube-apiserver.yaml.

Chotsatira chotsatira chidzatuluka ku stdout. Iyenera kusungidwa mkati ~/.kube/config akaunti ya ogwiritsa ntchito kapena fayilo yotchulidwa muzosintha zachilengedwe KUBECONFIG.

Kumba Mwakuya

Kwa iwo omwe akufuna kumvetsetsa nkhani zomwe zafotokozedwa bwino kwambiri:

• nkhani yosiyana pakugwira ntchito ndi ziphaso muzolemba za Kubernetes;
• nkhani yabwino kuchokera ku Bitnami, momwe nkhani ya ziphaso imakhudzidwa ndi zochitika zenizeni.
• zolemba zonse pa kutsimikizika ku Kubernetes.

Kulowa

Akaunti yovomerezeka yokhazikika ilibe ufulu wogwira ntchito pagulu. Kuti apereke zilolezo, Kubernetes amagwiritsa ntchito njira yololeza.

Asanatuluke 1.6, Kubernetes adagwiritsa ntchito mtundu wovomerezeka wotchedwa ABAC (Kuwongolera kogwirizana ndi mawonekedwe). Tsatanetsatane wa izo angapezeke mu zolemba zovomerezeka. Njirayi pakadali pano imatengedwa ngati cholowa, koma mutha kuyigwiritsabe ntchito limodzi ndi mitundu ina yotsimikizira.

Njira yamakono (komanso yosinthika) yogawa ufulu wofikira kumagulu imatchedwa Mtengo wa RBAC (Udindo wofikira pantchito). Zanenedwa kukhala zokhazikika kuyambira mtundu Kubernetes 1.8. RBAC imagwiritsa ntchito chitsanzo chaufulu momwe chirichonse chomwe sichiloledwa mwatsatanetsatane ndi choletsedwa.
Kuti muyambitse RBAC, muyenera kuyambitsa Kubernetes api-server ndi parameter --authorization-mode=RBAC. Zosinthazo zimayikidwa mu chiwonetsero ndi kasinthidwe ka api-server, komwe mwachisawawa kumakhala panjira. /etc/kubernetes/manifests/kube-apiserver.yaml, mu gawo command. Komabe, RBAC idayatsidwa kale mwachisawawa, ndiye kuti simuyenera kuda nkhawa nazo: mutha kutsimikizira izi ndi mtengo wake. authorization-mode (mu zomwe zatchulidwa kale kube-apiserver.yaml). Mwa njira, pakati pa matanthauzo ake pakhoza kukhala mitundu ina ya chilolezo (node, webhook, always allow), koma tisiya kulingalira kwawo kunja kwa nkhaniyo.

Mwa njira, tasindikiza kale nkhani ndikulongosola mwatsatanetsatane za mfundo ndi mawonekedwe ogwirira ntchito ndi RBAC, kupitilira apo ndidzipatula ku mndandanda wachidule wazoyambira ndi zitsanzo.

Magulu otsatirawa a API amagwiritsidwa ntchito kuwongolera mwayi wopezeka ku Kubernetes kudzera pa RBAC:

• Role и ClusterRole - maudindo ofotokozera ufulu wofikira:
• Role amakulolani kufotokoza maufulu mkati mwa dzina;
• ClusterRole - m'gululi, kuphatikiza zinthu zamagulu enaake monga ma node, ma urls osagwiritsa ntchito (ie osakhudzana ndi zothandizira za Kubernetes - mwachitsanzo, /version, /logs, /api*);
• RoleBinding и ClusterRoleBinding - amagwiritsidwa ntchito pomanga Role и ClusterRole kwa wosuta, gulu la ogwiritsa ntchito kapena ServiceAccount.

Mabungwe a Role ndi RoleBinding ali ndi malire ndi namespace, i.e. ziyenera kukhala mkati mwa malo omwewo. Komabe, RoleBinding imatha kutchula ClusterRole, yomwe imakupatsani mwayi wopanga zilolezo zamtundu uliwonse ndikuwongolera mwayi wogwiritsa ntchito.

Maudindo amafotokoza za ufulu pogwiritsa ntchito malamulo omwe ali ndi:

• Magulu a API - onani zolemba zovomerezeka ndi apiGroups ndi zotuluka kubectl api-resources;
• zothandizira (Chuma: pod, namespace, deployment ndi zina zotero.);
• Mawu (zenizeni: set, update ndi zina zotero.).
• mayina azinthu (resourceNames) - pazochitika pamene mukufunikira kupereka mwayi wopezeka kuzinthu zinazake, osati kuzinthu zonse zamtunduwu.

Kusanthula kwatsatanetsatane kwa chilolezo ku Kubernetes kungapezeke patsamba zolemba zovomerezeka. M'malo mwake (kapena kani, kuwonjezera pa izi), ndipereka zitsanzo zomwe zikuwonetsa ntchito yake.

Zitsanzo za mabungwe a RBAC

Zosavuta Role, zomwe zimakulolani kuti mupeze mndandanda ndi mawonekedwe a pods ndikuwayang'anira mu malo a mayina target-namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: target-namespace
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

Chitsanzo: ClusterRole, zomwe zimakupatsani mwayi wopeza mndandanda ndi mawonekedwe a ma pod ndikuwayang'anira pagulu lonse:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # секции "namespace" нет, так как ClusterRole задействует весь кластер
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

Chitsanzo: RoleBinding, zomwe zimalola wogwiritsa ntchito mynewuser "werengani" ma pod mu malo a mayina my-namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: target-namespace
subjects:
- kind: User
  name: mynewuser # имя пользователя зависимо от регистра!
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role # здесь должно быть “Role” или “ClusterRole”
  name: pod-reader # имя Role, что находится в том же namespace,
                   # или имя ClusterRole, использование которой
                   # хотим разрешить пользователю
  apiGroup: rbac.authorization.k8s.io

Kuwunika kwa zochitika

Mwadongosolo, zomanga za Kubernetes zitha kuyimiridwa motere:

Gawo lofunikira la Kubernetes lomwe limayang'anira zopempha ndi api-server. Ntchito zonse pa cluster zimadutsamo. Mutha kuwerenga zambiri za njira zamkati izi m'nkhani "Kodi chimachitika ndi chiyani ku Kubernetes mukathamanga kubectl run?".

Kuwunika kwadongosolo ndichinthu chosangalatsa ku Kubernetes, chomwe chimayimitsidwa mwachisawawa. Zimakulolani kuti mulowetse mafoni onse ku Kubernetes API. Monga momwe mungaganizire, zochita zonse zokhudzana ndi kuyang'anira ndikusintha momwe gululi likugwirira ntchito kudzera mu API iyi. Kufotokozera kwabwino kwa kuthekera kwake kumatha kupezeka (monga mwachizolowezi) mu zolemba zovomerezeka k8s. Kenako, ndiyesetsa kufotokoza mutuwo m’chinenero chosavuta.

Ndipo kotero, kuti athe kuwerengera, tifunika kudutsa magawo atatu ofunikira pachidebe mu api-server, zomwe zafotokozedwa mwatsatanetsatane pansipa:

• --audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml
• --audit-log-path=/var/log/kube-audit/audit.log
• --audit-log-format=json

Kuphatikiza pa magawo atatu ofunikirawa, pali zosintha zambiri zowonjezera zokhudzana ndi kuwunika: kuchokera ku kuzungulira kwa chipika kupita ku mafotokozedwe a webhook. Chitsanzo cha magawo a chipika chozungulira:

• --audit-log-maxbackup=10
• --audit-log-maxsize=100
• --audit-log-maxage=7

Koma sitingaganizire za iwo mwatsatanetsatane - mutha kupeza tsatanetsatane kube-apiserver zolemba.

Monga tafotokozera kale, magawo onse amayikidwa mu chiwonetsero ndi kasinthidwe ka api-server (mwachisawawa /etc/kubernetes/manifests/kube-apiserver.yaml), mu gawo command. Tiyeni tibwerere ku magawo atatu ofunikira ndikusanthula:

1. audit-policy-file - njira yopita ku fayilo ya YAML yofotokoza ndondomeko yowunikira. Tidzabwereranso ku zomwe zili mkati mwake, koma pakadali pano ndiwona kuti fayiloyo iyenera kuwerengedwa ndi ndondomeko ya api-server. Chifukwa chake, ndikofunikira kuyiyika mkati mwa chidebecho, chomwe mutha kuwonjezera nambala iyi m'magawo oyenera a config:

     volumeMounts:
       - mountPath: /etc/kubernetes/policies
         name: policies
         readOnly: true
     volumes:
     - hostPath:
         path: /etc/kubernetes/policies
         type: DirectoryOrCreate
       name: policies

2. audit-log-path - njira yopita ku fayilo ya log. Njirayo iyeneranso kupezeka panjira ya api-server, chifukwa chake timafotokozera kukwera kwake chimodzimodzi:

     volumeMounts:
       - mountPath: /var/log/kube-audit
         name: logs
         readOnly: false
     volumes:
     - hostPath:
         path: /var/log/kube-audit
         type: DirectoryOrCreate
       name: logs

3. audit-log-format - mawonekedwe a log log. Chosakhazikika ndi json, koma mtundu wa legicy uliponso (legacy).

Audit Policy

Tsopano za fayilo yomwe yatchulidwa yomwe ikufotokoza ndondomeko yodula mitengo. Lingaliro loyamba la ndondomeko yowerengera ndi level, mulingo wodula mitengo. Iwo ali motere:

• None - osalemba;
• Metadata - metadata yofunsira chipika: wogwiritsa ntchito, nthawi yopempha, gwero lachindunji (pod, namespace, etc.), mtundu wa zochita (verb), etc.;
• Request - lolemba metadata ndi kupempha thupi;
• RequestResponse - log metadata, thupi lopempha ndi gulu loyankha.

Miyezo iwiri yomaliza (Request и RequestResponse) musalembe zopempha zomwe sizinapeze zothandizira (zofikira zomwe zimatchedwa ma urls osagwiritsa ntchito).

Komanso zopempha zonse zimadutsa magawo angapo:

• RequestReceived - siteji pamene pempho likulandiridwa ndi purosesa ndipo silinaperekedwenso motsatira mndandanda wa mapurosesa;
• ResponseStarted - Mitu yamayankho imatumizidwa, koma thupi loyankha lisanatumizidwe. Amapangidwa kuti afufuze kwanthawi yayitali (mwachitsanzo, watch);
• ResponseComplete - bungwe loyankha latumizidwa, palibe zambiri zomwe zidzatumizidwe;
• Panic - zochitika zimachitika pamene vuto lachilendo lapezeka.

Kudumpha njira zilizonse zomwe mungagwiritse ntchito omitStages.

Mu fayilo ya ndondomeko, tikhoza kufotokoza zigawo zingapo zomwe zili ndi magawo osiyanasiyana odula mitengo. Lamulo loyamba lofananira lomwe likupezeka muzofotokozera za ndondomekoyi lidzagwiritsidwa ntchito.

Oyang'anira daemon ya kubelet amasintha mu manifesto ndi kasinthidwe ka api-server ndipo, ngati apezeka, amayambiranso chidebecho ndi api-server. Koma pali mfundo yofunika: Zosintha mufayilo yamalamulo sizidzanyalanyazidwa. Mutatha kusintha fayilo ya ndondomeko, muyenera kuyambitsanso api-server pamanja. Popeza api-server imayamba ngati static pansi, timu kubectl delete sizipangitsa kuti iyambikenso. Muyenera kuchita pamanja docker stop pa kube-masters, pomwe ndondomeko yowunikira yasinthidwa:

docker stop $(docker ps | grep k8s_kube-apiserver | awk '{print $1}')

Pothandizira kuwerengera, ndikofunikira kukumbukira izi kuchuluka kwa kube-apiserver kumawonjezeka. Makamaka, kugwiritsa ntchito kukumbukira posunga mawu ofunsira kumawonjezeka. Kudula mitengo kumayamba pokhapokha mutu wa mayankho watumizidwa. Katunduyo amadaliranso kasinthidwe ka ndondomeko ya kafukufuku.

Zitsanzo za ndondomeko

Tiyeni tiwone momwe mafayilo amachitidwe pogwiritsa ntchito zitsanzo.

Nayi fayilo yosavuta policykulemba chilichonse pamlingo Metadata:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata

Mu ndondomeko mukhoza kufotokoza mndandanda wa ogwiritsa (Users и ServiceAccounts) ndi magulu ogwiritsa ntchito. Mwachitsanzo, umu ndi momwe tidzanyalanyaza ogwiritsa ntchito, koma lembani china chilichonse pamlingo Request:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  - level: None
    userGroups:
      - "system:serviceaccounts"
      - "system:nodes"
    users:
      - "system:anonymous"
      - "system:apiserver"
      - "system:kube-controller-manager"
      - "system:kube-scheduler"
  - level: Request

Ndikothekanso kufotokozera zolinga:

• mayina (namespaces);
• Mawu (zenizeni: get, update, delete ndi ena);
• zothandizira (Chuma, omwe ndi: pod, configmaps etc.) ndi magulu othandizira (apiGroups).

Samalani! Zothandizira ndi magulu othandizira (magulu a API, mwachitsanzo, apiGroups), komanso mitundu yawo yoyikidwa mgululi, atha kupezeka pogwiritsa ntchito malamulo:

kubectl api-resources
kubectl api-versions

Ndondomeko yotsatirayi ikuperekedwa ngati chisonyezero cha machitidwe abwino mu Zolemba za Alibaba Cloud:

apiVersion: audit.k8s.io/v1beta1
kind: Policy
# Не логировать стадию RequestReceived
omitStages:
  - "RequestReceived"
rules:
  # Не логировать события, считающиеся малозначительными и не опасными:
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
      - group: "" # это api group с пустым именем, к которому относятся
                  # базовые ресурсы Kubernetes, называемые “core”
        resources: ["endpoints", "services"]
  - level: None
    users: ["system:unsecured"]
    namespaces: ["kube-system"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["configmaps"]
  - level: None
    users: ["kubelet"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    userGroups: ["system:nodes"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    users:
      - system:kube-controller-manager
      - system:kube-scheduler
      - system:serviceaccount:kube-system:endpoint-controller
    verbs: ["get", "update"]
    namespaces: ["kube-system"]
    resources:
      - group: "" # core
        resources: ["endpoints"]
  - level: None
    users: ["system:apiserver"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["namespaces"]
  # Не логировать обращения к read-only URLs:
  - level: None
    nonResourceURLs:
      - /healthz*
      - /version
      - /swagger*
  # Не логировать сообщения, относящиеся к типу ресурсов “события”:
  - level: None
    resources:
      - group: "" # core
        resources: ["events"]
  # Ресурсы типа Secret, ConfigMap и TokenReview могут содержать  секретные данные,
  # поэтому логируем только метаданные связанных с ними запросов
  - level: Metadata
    resources:
      - group: "" # core
        resources: ["secrets", "configmaps"]
      - group: authentication.k8s.io
        resources: ["tokenreviews"]
  # Действия типа get, list и watch могут быть ресурсоёмкими; не логируем их
  - level: Request
    verbs: ["get", "list", "watch"]
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Уровень логирования по умолчанию для стандартных ресурсов API
  - level: RequestResponse
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Уровень логирования по умолчанию для всех остальных запросов
  - level: Metadata

Chitsanzo china chabwino cha ndondomeko yowerengera ndi mbiri yogwiritsidwa ntchito mu GCE.

Kuti muyankhe mwachangu ku zochitika zowunikira, ndizotheka fotokozani webhook. Nkhaniyi ikukhudzidwa zolemba zovomerezeka, ndisiya kunja kwa nkhani ino.

Zotsatira

Nkhaniyi ikupereka chidule cha njira zodzitetezera m'magulu a Kubernetes, omwe amakulolani kuti mupange maakaunti amunthu, kulekanitsa ufulu wawo, ndikulemba zochita zawo. Ndikukhulupirira kuti zidzakhala zothandiza kwa iwo omwe akukumana ndi nkhani zoterezi mwamalingaliro kapena muzochita. Ndikupangiranso kuti muwerenge mndandanda wazinthu zina pamutu wa chitetezo ku Kubernetes, womwe umaperekedwa mu "P.S" - mwinamwake pakati pawo mudzapeza zofunikira pazovuta zomwe zikugwirizana ndi inu.

PS

Werenganinso pa blog yathu:

• «33+ Kubernetes zida zachitetezo";
• «Chiyambi cha Kubernetes Network Policies for Security Professionals";
• «Kumvetsetsa RBAC ku Kubernetes";
• «9 Njira Zabwino Zachitetezo cha Kubernetes";
• «Njira 11 Zoti (Osati) Mukhale Wozunzidwa ndi Kubernetes Hack".

Source: www.habr.com