Le ABC o le Saogalemu i Kubernetes: Faʻamaoniga, Faʻatagaina, Suʻetusi

I se taimi vave pe mulimuli ane, i le faʻaogaina o soʻo se faiga, o le mataupu o le saogalemu e tulaʻi mai: faʻamautinoa le faʻamaonia, vavaeeseina o aia tatau, suʻega ma isi galuega. Ua uma ona faia mo Kubernetes tele fofo, lea e mafai ai ona e ausia le tausisia o tulaga e oʻo lava i totonu o siosiomaga sili ona faigata ... O mea lava e tasi e tuʻuina atu i vaega autu o le saogalemu o loʻo faʻatinoina i totonu o masini fausia o le K8s. Muamua lava, o le a aoga ia i latou o loʻo amata ona masani ma Kubernetes - o se amataga mo le suʻesuʻeina o mataupu tau puipuiga.

Fa'amaoni

E lua ituaiga o tagata faʻaoga ile Kubernetes:

• Teugatupe Auaunaga - fa'amatalaga e pulea e le Kubernetes API;
• tagata e faaaogāina - "masani" tagata fa'aoga e pulea e fafo, auaunaga tuto'atasi.

O le eseesega tele i le va o nei ituaiga o le mo Auaunaga Faʻamatalaga o loʻo i ai mea faʻapitoa i le Kubernetes API (e taʻua o latou - ServiceAccounts), lea e nonoa i se igoa avanoa ma se seti o faʻamatalaga faʻatagaina o loʻo teuina i totonu o le fuifui i mea faitino o le mea lilo. O ia tagata fa'aoga (Service Accounts) o lo'o fa'amoemoe muamua e fa'atautaia aiā tatau i le Kubernetes API o fa'agasologa o lo'o fa'agaoioi i le kulupu Kubernetes.

Tagata fa'aoga masani e leai ni fa'amatalaga i totonu o le Kubernetes API: e tatau ona fa'atautaia e ala i fafo. Ua fa'amoemoe mo tagata po'o faiga e nonofo i fafo atu o le fuifui.

O talosaga API ta'itasi e feso'ota'i ma se Teugatupe Au'aunaga, se Tagata fa'aoga, po'o le le ta'ua.

O fa'amaumauga fa'amaoni a le tagata e aofia ai:

• Username - igoa ole igoa (mataupu mata'utia!);
• UID - o se manoa e iloagofie ai tagata e mafai ona faitau i le masini e “sili atu ona tumau ma tulaga ese nai lo le igoa ole igoa”;
• Groups — lisi o vaega e iai le tagata fa'aoga;
• faʻaopoopo - fanua fa'aopoopo e mafai ona fa'aogaina e le faiga fa'atagaina.

E mafai e Kubernetes ona faʻaogaina se numera tele o faʻamaoniga faʻamaonia: X509 tusipasi, Faʻailoga tagata, sui faʻamaonia, HTTP Basic Auth. I le faʻaaogaina o nei faiga, e mafai ona e faʻatinoina se numera tele o faʻatagaina fuafuaga: mai se faila faʻamau ma upu faʻaulu i OpenID OAuth2.

E le gata i lea, e mafai ona faʻaaogaina le tele o polokalame faʻatagaina i le taimi e tasi. Ona o le faaletonu, o le fuifui e faaaoga:

• fa'ailoga fa'amaumauga o auaunaga - mo Fa'amatalaga o Auaunaga;
• X509 - mo Tagata fa'aoga.

O le fesili e uiga i le puleaina o ServiceAccounts e sili atu nai lo le lautele o lenei tusiga, ae mo i latou e fia faamasani i latou lava i lenei mataupu i nisi auiliiliga, ou te fautuaina e amata i itulau fa'amaumauga aloa'ia. O le a matou vaʻavaʻai totoʻa i le mataupu pe faʻafefea ona galue tusi pasi X509.

Tusipasi mo tagata fa'aoga (X.509)

O le auala masani o le galue ma tusi faamaonia e aofia ai:

• tupuaga autu:

  mkdir -p ~/mynewuser/.certs/
  openssl genrsa -out ~/.certs/mynewuser.key 2048

• faia se talosaga tusi faamaonia:

  openssl req -new -key ~/.certs/mynewuser.key -out ~/.certs/mynewuser.csr -subj "/CN=mynewuser/O=company"

• fa'agaioiina se talosaga tusi pasi e fa'aaoga ai ki Kubernetes cluster CA, mauaina o se tusi fa'aoga (ina ia maua se tusi pasi, e tatau ona e fa'aogaina se teugatupe e mafai ona maua le ki Kubernetes cluster CA, lea e le mafai ona maua i totonu. /etc/kubernetes/pki/ca.key):

  openssl x509 -req -in ~/.certs/mynewuser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ~/.certs/mynewuser.crt -days 500

• fatuina o se faila faatulagaina:
  • faʻamatalaga faʻapipiʻi (faʻailoa le tuatusi ma le nofoaga o le faila tusi faamaonia CA mo se faʻapipiʻi faʻapipiʻi faʻapitoa):

    kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.100.200:6443

  • pe faapefea lēfilifiliga fautuaina - e te le tau faʻamaonia le aʻa tusi (ona le siakiina lea e le kubectl le saʻo o le api-server a le fuifui):

    kubectl config set-cluster kubernetes  --insecure-skip-tls-verify=true --server=https://192.168.100.200:6443

  • faʻaopoopoina se tagata faʻaoga i le faila faʻatulagaina:

    kubectl config set-credentials mynewuser --client-certificate=.certs/mynewuser.crt  --client-key=.certs/mynewuser.key

  • fa'aopoopo fa'amatalaga:

    kubectl config set-context mynewuser-context --cluster=kubernetes --namespace=target-namespace --user=mynewuser

  • fa'atonuga tulaga fa'aletonu:

    kubectl config use-context mynewuser-context

A maeʻa faʻataʻitaʻiga i luga, i le faila .kube/config o le a faia se config e pei o lenei:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/pki/ca.crt
    server: https://192.168.100.200:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: target-namespace
    user: mynewuser
  name: mynewuser-context
current-context: mynewuser-context
kind: Config
preferences: {}
users:
- name: mynewuser
  user:
    client-certificate: /home/mynewuser/.certs/mynewuser.crt
    client-key: /home/mynewuser/.certs/mynewuser.key

Ina ia faafaigofieina le fesiitaiga o le config i le va o tala ma servers, e aoga le faasaʻoina o tau o ki nei:

• certificate-authority
• client-certificate
• client-key

Ina ia faia lenei mea, e mafai ona e faʻapipiʻi faila o loʻo faʻamaonia i totonu ia i latou e faʻaaoga ai le base64 ma resitala i totonu o le config, faʻaopoopo le suffix i le igoa o ki. -data, i.e. ina ua maua certificate-authority-data ma isi.

Tusipasi ma kubeadm

Faatasi ai ma le tatalaina Kubernetes 1.15 galue ma tusi faamaonia ua sili atu ona faigofie faafetai i le alpha version o lona lagolago i kubeadm aoga. Mo se faʻataʻitaʻiga, o le mea lea o le fatuina o se faila faʻapipiʻi ma ki faʻaoga atonu e foliga mai nei:

kubeadm alpha kubeconfig user --client-name=mynewuser --apiserver-advertise-address 192.168.100.200

NB: Manaomia fa'asalalau tuatusi e mafai ona maua i le api-server config, lea e le mafai ona maua i totonu /etc/kubernetes/manifests/kube-apiserver.yaml.

O le config e maua mai o le a maua i le stdout. E tatau ona sefe i totonu ~/.kube/config fa'amatalaga fa'aoga po'o se faila o lo'o fa'amaoti mai i se fesuiaiga o le si'osi'omaga KUBECONFIG.

Eli Faaloloto

Mo i latou e fia malamalama i mataupu o loʻo faʻamatalaina atili:

• ese tusitusiga i le galue ma tusi faamaonia i le pepa aloaia Kubernetes;
• tala lelei mai Bitnami, lea e pa'i i ai le mataupu o tusi pasi mai se vaaiga fa'atino.
• pepa lautele i le faʻamaonia i Kubernetes.

Faatagaina

E leai se aia tatau a le teugatupe fa'atagaina e fa'aletonu e fa'agaioi ai le fuifui. Ina ia fa'atagaina fa'atagaga, e fa'atino e Kubernetes se faiga fa'ataga.

A'o le'i faia le version 1.6, na fa'aaoga e Kubernetes se ituaiga fa'atagaga e ta'ua ABAC (Uiga fa'avae fa'atonuga avanoa). O fa'amatalaga e uiga i ai e mafai ona maua i totonu pepa aloaia. O lenei faiga o lo'o ta'ua o le talatuu, ae e mafai lava ona e fa'aogaina fa'atasi ma isi ituaiga fa'amaoniga.

O le taimi nei (ma sili atu ona fetu'una'i) auala e vaevaeina ai aia tatau i se fuifui ua ta'ua RBAC (Pulea avanoa fa'avae). Ua fa'ailoa mautu talu mai le fa'aliliuga Kubernetes 1.8. O lo'o fa'atinoina e le RBAC se fa'ata'ita'iga o aia tatau e fa'asaina ai mea uma e le fa'atagaina.
Ina ia mafai ai le RBAC, e tatau ona e amata Kubernetes api-server ma le parakalafa --authorization-mode=RBAC. O faʻamaufaʻailoga o loʻo faʻatulagaina i le faʻaaliga ma le faʻaogaina o le api-server, lea e le mafai ona tuʻuina i luga o le ala /etc/kubernetes/manifests/kube-apiserver.yaml, i le vaega command. Ae ui i lea, RBAC ua uma ona mafai ona o le faaletonu, o lea e foliga mai e le tatau ona e popole i ai: e mafai ona e faʻamaonia lenei mea i le tau. authorization-mode (i le mea ua uma ona taʻua kube-apiserver.yaml). I le ala, faatasi ai ma ona uiga atonu e iai isi ituaiga o faatagaga (node, webhook, always allow), ae o le a tatou tuua la latou iloiloga i fafo atu o le lautele o mataupu.

I le ala, ua uma ona matou lolomiina tusiga faʻatasi ai ma se faʻamatalaga auiliili o mataupu faavae ma foliga o le galulue faatasi ma le RBAC, o lea o le a ou faʻatapulaʻaina aʻu i se lisi puupuu o faʻavae ma faʻataʻitaʻiga.

O fa'alapotopotoga API nei e fa'aoga e pulea le avanoa i Kubernetes e ala ile RBAC:

• Role и ClusterRole — matafaioi e fa'amatala ai aia tatau avanoa:
• Role fa'atagaina oe e fa'amatala aia tatau i totonu ole igoa avanoa;
• ClusterRole - i totonu o le fuifui, e aofia ai mea fa'apitoa fa'afuifui e pei o nodes, urls e le o ni puna'oa (e le feso'ota'i ma punaoa Kubernetes - mo se fa'ata'ita'iga, /version, /logs, /api*);
• RoleBinding и ClusterRoleBinding - fa'aaogaina mo le fusifusia Role и ClusterRole i se tagata fa'aoga, vaega fa'aoga po'o le ServiceAccount.

O vaega o le Matafaioi ma le RoleBinding e faʻatapulaʻaina e igoa avanoa, i.e. e tatau ona i totonu o le igoa e tasi. Ae ui i lea, o le RoleBinding e mafai ona faʻasino i se ClusterRole, lea e mafai ai ona e faia se seti o faʻatagaga lautele ma pulea avanoa e faʻaaoga ai.

O matafaioi e fa'amatala ai aia tatau e fa'aaoga ai seti o tulafono e iai:

• Vaega API - va'ai pepa aloaia e apiGroups ma le gaosiga kubectl api-resources;
• punaoa (Punaoa: pod, namespace, deployment ma faapena atu ai lava.);
• Veape (veape: set, update ma faapena atu ai lava.).
• igoa punaoa (resourceNames) - mo le tulaga e te manaʻomia e tuʻuina atu avanoa i se punaoa faʻapitoa, ae le o punaoa uma o lenei ituaiga.

O se auiliiliga auiliili o le faatagaga i Kubernetes e mafai ona maua ile itulau pepa aloaia. Nai lo (pe sili atu, faʻaopoopo i lenei), o le a ou tuʻuina atu faʻataʻitaʻiga e faʻaalia ai lana galuega.

Fa'ata'ita'iga o fa'alapotopotoga RBAC

Faigofie Role, lea e mafai ai ona e maua se lisi ma tulaga o pods ma mataʻituina i latou i le igoa avanoa target-namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: target-namespace
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

Faataitaiga: ClusterRole, lea e mafai ai ona e mauaina se lisi ma tulaga o pods ma mataʻituina i latou i le fuifui atoa:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # секции "namespace" нет, так как ClusterRole задействует весь кластер
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

Faataitaiga: RoleBinding, lea e mafai ai e le tagata faʻaoga mynewuser "faitau" pods ile namespace my-namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: target-namespace
subjects:
- kind: User
  name: mynewuser # имя пользователя зависимо от регистра!
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role # здесь должно быть “Role” или “ClusterRole”
  name: pod-reader # имя Role, что находится в том же namespace,
                   # или имя ClusterRole, использование которой
                   # хотим разрешить пользователю
  apiGroup: rbac.authorization.k8s.io

Su'etusi o mea na tutupu

I se tulaga faʻapitoa, o le fausaga Kubernetes e mafai ona faʻatusalia e pei ona taua i lalo:

O le vaega autu Kubernetes e nafa ma le faagasologa o talosaga o le api-server. O gaioiga uma i luga o le fuifui e alu i ai. E mafai ona e faitau atili e uiga i nei masini i totonu i le tusiga "O le a le mea e tupu i Kubernetes pe a e tamoe kubectl run?".

O le su'etusi o faiga o se mea manaia i Kubernetes, lea e le atoatoa ona o le faaletonu. E fa'atagaina oe e fa'amau uma vala'au ile Kubernetes API. E pei ona e mateina, o gaioiga uma e fesoʻotaʻi ma le mataʻituina ma le suia o le tulaga o le fuifui e faia i lenei API. O se faʻamatalaga lelei o ona gafatia e mafai (e pei ona masani ai) maua i totonu pepa aloaia K8s. Sosoo ai, o le a ou taumafai e tuuina atu le autu i se gagana faigofie.

Ma o lea, e mafai ai ona suetusi, e manaʻomia ona tatou pasi atu ni taʻiala manaʻomia se tolu i le atigipusa ile api-server, lea o loʻo faʻamatalaina atili i lalo:

• --audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml
• --audit-log-path=/var/log/kube-audit/audit.log
• --audit-log-format=json

I le faaopoopo atu i nei vaega e tolu e tatau ai, o loʻo i ai le tele o faʻaopoopoga faʻaopoopo e fesoʻotaʻi ma le suʻega: mai le suiga o ogalaau i faʻamatalaga webhook. Fa'ata'ita'iga o fa'asologa o fa'asologa o ogalaau:

• --audit-log-maxbackup=10
• --audit-log-maxsize=100
• --audit-log-maxage=7

Ae o le a matou le toe mafaufau atili ia i latou - e mafai ona e mauaina faʻamatalaga uma i totonu pepa kube-apiserver.

E pei ona taʻua muamua, o faʻamaufaʻailoga uma o loʻo faʻatulagaina i le faʻaaliga ma le faʻaogaina o le api-server (e ala i le faaletonu /etc/kubernetes/manifests/kube-apiserver.yaml), i le vaega command. Seʻi o tatou toe foʻi i taʻiala manaʻomia e 3 ma iloilo i latou:

1. audit-policy-file - ala i le faila YAML o loʻo faʻamatalaina le faiga faʻavae suʻega. O le a matou toe foʻi i mea o loʻo i ai i se taimi mulimuli ane, ae mo le taimi nei o le a ou matauina o le faila e tatau ona mafai ona faitau e le api-server process. O le mea lea, e tatau ona faʻapipiʻi i totonu o le atigipusa, lea e mafai ai ona e faʻaopoopo le code lea i vaega talafeagai o le config:

     volumeMounts:
       - mountPath: /etc/kubernetes/policies
         name: policies
         readOnly: true
     volumes:
     - hostPath:
         path: /etc/kubernetes/policies
         type: DirectoryOrCreate
       name: policies

2. audit-log-path - ala i le faila ogalaau. O le ala e tatau foi ona faʻaogaina i le api-server process, o lea matou te faʻamatalaina lona faʻapipiʻiina i le auala lava e tasi:

     volumeMounts:
       - mountPath: /var/log/kube-audit
         name: logs
         readOnly: false
     volumes:
     - hostPath:
         path: /var/log/kube-audit
         type: DirectoryOrCreate
       name: logs

3. audit-log-format — fa'asologa o fa'amaumauga o su'ega. O le faaletonu o le json, ae o lo'o avanoa fo'i le fa'asologa o tusitusiga (legacy).

Faiga Faavae Suetusi

Lenei e uiga i le faila o loʻo taʻua o loʻo faʻamatalaina le faiga faʻavae. O le manatu muamua o faiga fa'avae su'etusi o le level, tulaga fa'amau. O latou nei:

• None - aua le fa'amauina;
• Metadata - ogalaau talosaga metadata: tagata faʻaoga, taimi talosaga, punaoa faʻatatau (pod, igoa avanoa, ma isi), ituaiga gaioiga (veape), ma isi;
• Request - log metadata ma talosaga tino;
• RequestResponse - log metadata, tino talosaga ma tino tali.

O vaega mulimuli e lua (Request и RequestResponse) 'aua ne'i fa'amauina talosaga e le'i maua ai puna'oa (avanoa i so-called non-resources urls).

E fa'apena fo'i talosaga uma ni vaega:

• RequestReceived - le tulaga pe a maua le talosaga e le processor ma e leʻi faʻasalalau atili i luga o le filifili o processors;
• ResponseStarted — e lafo ulutala tali, ae le'i auina atu le tino tali. Fa'atupuina mo ni fesili umi (mo se fa'ata'ita'iga, watch);
• ResponseComplete - ua auina atu le tino tali, e le toe auina atu nisi faʻamatalaga;
• Panic - mea tutupu e fa'atupu pe a iloa se tulaga fa'aletonu.

E faase'e so'o se laasaga e mafai ona e fa'aogaina omitStages.

I totonu o se faila o faiga faʻavae, e mafai ona matou faʻamatalaina le tele o vaega e eseʻese tulaga faʻapipiʻi. Ole tulafono fa'afetaui muamua o lo'o maua ile fa'amatalaga o faiga fa'avae ole a fa'aoga.

O le kubelet daemon e siaki suiga i le faʻaaliga ma le faʻapipiʻiina o le api-server ma, afai e maua, toe amata le koneteina ma le api-server. Ae o loʻo i ai se faʻamatalaga taua: suiga i le faila faiga faavae o le a le amanaiaina e ia. A maeʻa ona fai suiga i le faila o faiga faʻavae, e te manaʻomia le toe amataina o le api-server ma le lima. Talu ai ona amata le api-server e pei o static pod, au kubectl delete e le mafua ai ona toe amata. E tatau ona e faia ma le lima docker stop i luga o kube-masters, lea ua suia ai le faiga faavae suetusi:

docker stop $(docker ps | grep k8s_kube-apiserver | awk '{print $1}')

A fa'atagaina le su'etusi, e taua le manatua o lena mea faʻateleina le uta i luga o kube-apiserver. Aemaise lava, e fa'atuputeleina le fa'aogaina o manatua mo le teuina o fa'amatalaga talosaga. Fa'ato'a amata fa'amau pe a uma ona lafo le ulutala tali. E fa'alagolago fo'i le uta ile fa'atulagaina o faiga fa'avae su'etusi.

Fa'ata'ita'iga o faiga fa'avae

Se'i o tatou va'ava'ai i le fa'atulagaina o faila o faiga fa'avae e fa'aaoga ai fa'ata'ita'iga.

O se faila faigofie lea policye fa'amauina mea uma i le tulaga Metadata:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata

I totonu o faiga faʻavae e mafai ona e faʻamaonia se lisi o tagata faʻaoga (Users и ServiceAccounts) ma vaega fa'aoga. Mo se faʻataʻitaʻiga, o le auala lea o le a tatou le amanaʻia ai tagata faʻaoga, ae tusi mea uma i le tulaga Request:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  - level: None
    userGroups:
      - "system:serviceaccounts"
      - "system:nodes"
    users:
      - "system:anonymous"
      - "system:apiserver"
      - "system:kube-controller-manager"
      - "system:kube-scheduler"
  - level: Request

E mafai foʻi ona faʻamatalaina sini:

• igoa avanoa (namespaces);
• Veape (veape: get, update, delete ma isi);
• punaoa (Punaoa, e taua: pod, configmaps ma isi) ma vaega o punaoa (apiGroups).

Faʻalogo lelei! Punaoa ma punaoa vaega (vaega API, i.e. apiGroups), faʻapea foʻi ma a latou faʻapipiʻi faʻapipiʻi i le fuifui, e mafai ona maua e faʻaaoga ai tulafono:

kubectl api-resources
kubectl api-versions

Ole faiga fa'avae su'etusi o lo'o tu'uina atu e fai ma fa'ata'ita'iga o faiga sili ile Alibaba Cloud fa'amaumauga:

apiVersion: audit.k8s.io/v1beta1
kind: Policy
# Не логировать стадию RequestReceived
omitStages:
  - "RequestReceived"
rules:
  # Не логировать события, считающиеся малозначительными и не опасными:
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
      - group: "" # это api group с пустым именем, к которому относятся
                  # базовые ресурсы Kubernetes, называемые “core”
        resources: ["endpoints", "services"]
  - level: None
    users: ["system:unsecured"]
    namespaces: ["kube-system"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["configmaps"]
  - level: None
    users: ["kubelet"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    userGroups: ["system:nodes"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    users:
      - system:kube-controller-manager
      - system:kube-scheduler
      - system:serviceaccount:kube-system:endpoint-controller
    verbs: ["get", "update"]
    namespaces: ["kube-system"]
    resources:
      - group: "" # core
        resources: ["endpoints"]
  - level: None
    users: ["system:apiserver"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["namespaces"]
  # Не логировать обращения к read-only URLs:
  - level: None
    nonResourceURLs:
      - /healthz*
      - /version
      - /swagger*
  # Не логировать сообщения, относящиеся к типу ресурсов “события”:
  - level: None
    resources:
      - group: "" # core
        resources: ["events"]
  # Ресурсы типа Secret, ConfigMap и TokenReview могут содержать  секретные данные,
  # поэтому логируем только метаданные связанных с ними запросов
  - level: Metadata
    resources:
      - group: "" # core
        resources: ["secrets", "configmaps"]
      - group: authentication.k8s.io
        resources: ["tokenreviews"]
  # Действия типа get, list и watch могут быть ресурсоёмкими; не логируем их
  - level: Request
    verbs: ["get", "list", "watch"]
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Уровень логирования по умолчанию для стандартных ресурсов API
  - level: RequestResponse
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Уровень логирования по умолчанию для всех остальных запросов
  - level: Metadata

O le isi fa'ata'ita'iga lelei o faiga fa'avae su'etusi o le talaaga fa'aaoga ile GCE.

Ina ia vave tali atu i mea suʻesuʻe, e mafai faamatala webhook. O lenei mataupu o loʻo aofia i totonu pepa aloaia, O le a ou tuua i fafo atu o le lautele o lenei tusiga.

O taunuʻuga

O loʻo tuʻuina mai e le tusiga se faʻamatalaga lautele o faiga faʻavae saogalemu i totonu o Kubernetes clusters, lea e mafai ai ona e fatuina faʻamatalaga faʻapitoa tagata faʻaoga, vavae ese a latou aia, ma faʻamaumau a latou gaioiga. Ou te faʻamoemoe o le a aoga ia i latou o loʻo feagai ma ia faʻafitauli i le teori poʻo le faʻatinoga. Ou te fautuaina foi e te faitau i le lisi o isi mea i luga o le autu o le saogalemu i Kubernetes, lea o loʻo tuʻuina atu i le "PS" - masalo oi latou o le ae mauaina faʻamatalaga talafeagai i faʻafitauli e talafeagai ia te oe.

SALA

Faitau foi i la matou blog:

• «33+ Kubernetes meafaigaluega saogalemu";
• «Ose Folasaga ile Kubernetes Network Policies for Security Professionals";
• «Malamalama i le RBAC i Kubernetes";
• «9 Fa'ata'ita'iga Sili mo Kubernetes Saogalemu";
• «11 Auala e (Leai) Avea ma Victim of a Kubernetes Hack".

puna: www.habr.com