Nokukurumidza kana kuti gare gare, mukushanda kwegadziriro ipi zvayo, nyaya yekuchengeteka inomuka: kuve nechokwadi chechokwadi, kupatsanurwa kwekodzero, kuongorora uye mamwe mabasa. Yakatogadzirirwa Kubernetes
Kusimbiswa
Kune marudzi maviri evashandisi muKubernetes:
- Maakaundi Ebasa -akaundi anotungamirirwa neKubernetes API;
- Users - "vakajairika" vashandisi vanotungamirwa nevekunze, vakazvimiririra masevhisi.
Musiyano mukuru pakati pemhando idzi ndewekuti kuSevhisi Accounts kune zvakakosha zvinhu muKubernetes API (zvinodaidzwa izvozvo - ServiceAccounts
), iyo yakasungirirwa kune nzvimbo yezita uye seti yemvumo yedata yakachengetwa musumbu muzvinhu zveChakavanzika mhando. Vashandisi vakadai (Maakaundi eSevhisi) vanonyanya kuitirwa kubata kodzero dzekuwana kuKubernetes API yemaitiro anomhanya muKubernetes cluster.
Vakajairwa Vashandisi havana mapindiro muKubernetes API: ivo vanofanirwa kutungamirwa nemaitiro ekunze. Izvo zvakagadzirirwa vanhu kana maitiro anogara kunze kwesumbu.
Chikumbiro chega chega cheAPI chakabatana neakaundi yeSevhisi, Mushandisi, kana inoonekwa isingazivikanwe.
Data yechokwadi yemushandisi inosanganisira:
- Username - zita rekushandisa (kesi inonzwa!);
- UID - tambo inoverengeka yemushandisi yekuzivisa tambo "inowirirana uye yakasarudzika pane zita rekushandisa";
- Groups - rondedzero yemapoka ayo mushandisi ndewe;
- zvimwezvo - mamwe minda anogona kushandiswa nemvumo meshini.
Kubernetes inogona kushandisa nhamba huru yenzira dzechokwadi: X509 zvitupa, Bearer tokens, kutsigira proxy, HTTP Basic Auth. Uchishandisa mashandiro aya, unogona kuita nhamba huru yezvirongwa zvemvumo: kubva pane static faira ine mapassword kuenda kuOpenID OAuth2.
Uyezve, zvinokwanisika kushandisa zvirongwa zvemvumo zvakati wandei panguva imwe chete. Nekusagadzikana, iyo cluster inoshandisa:
- sevhisi account tokens - yeSevhisi Akaundi;
- X509 - yeVashandisi.
Mubvunzo wekutonga ServiceAccounts uri pamusoro pechikamu chechinyorwa ichi, asi kune avo vanoda kujairana nenyaya iyi zvakadzama, ndinokurudzira kutanga nazvo.
Zvitupa zvevashandisi (X.509)
Iyo yekare nzira yekushanda nezvitupa inosanganisira:
- chizvarwa chakakosha:
mkdir -p ~/mynewuser/.certs/ openssl genrsa -out ~/.certs/mynewuser.key 2048
- kugadzira chikumbiro chetifiketi:
openssl req -new -key ~/.certs/mynewuser.key -out ~/.certs/mynewuser.csr -subj "/CN=mynewuser/O=company"
- kugadzirisa chikumbiro chetifiketi uchishandisa Kubernetes cluster CA makiyi, kuwana chitupa chemushandisi (kuti uwane chitupa, unofanirwa kushandisa account inokwanisa kuwana Kubernetes cluster CA kiyi, iyo nekusarudzika inowanikwa mukati.
/etc/kubernetes/pki/ca.key
):openssl x509 -req -in ~/.certs/mynewuser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ~/.certs/mynewuser.crt -days 500
- kugadzira faira yekumisikidza:
- tsananguro yecluster (taura kero uye nzvimbo yeCA setifiketi faira kune chaiyo cluster yekumisikidza):
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.100.200:6443
- kana sei kweteyakakurudzirwa sarudzo - haufanirwe kutsanangura midzi chitupa (ipapo kubectl haizotarise iko kurongeka kweiyo cluster's api-server):
kubectl config set-cluster kubernetes --insecure-skip-tls-verify=true --server=https://192.168.100.200:6443
- kuwedzera mushandisi kune iyo faira yekumisikidza:
kubectl config set-credentials mynewuser --client-certificate=.certs/mynewuser.crt --client-key=.certs/mynewuser.key
- kuwedzera mamiriro:
kubectl config set-context mynewuser-context --cluster=kubernetes --namespace=target-namespace --user=mynewuser
- default context assignment:
kubectl config use-context mynewuser-context
- tsananguro yecluster (taura kero uye nzvimbo yeCA setifiketi faira kune chaiyo cluster yekumisikidza):
Mushure mekuita manipulations ari pamusoro, mufaira .kube/config
config seizvi ichagadzirwa:
apiVersion: v1
clusters:
- cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://192.168.100.200:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: target-namespace
user: mynewuser
name: mynewuser-context
current-context: mynewuser-context
kind: Config
preferences: {}
users:
- name: mynewuser
user:
client-certificate: /home/mynewuser/.certs/mynewuser.crt
client-key: /home/mynewuser/.certs/mynewuser.key
Kuita kuti zvive nyore kuendesa config pakati peakaunti nemaseva, zvinobatsira kugadzirisa kukosha kweanotevera makiyi:
-
certificate-authority
-
client-certificate
-
client-key
Kuti uite izvi, unogona kukodha mafaera akatsanangurwa mavari uchishandisa base64 uye unyore iwo mugadziriro, uchiwedzera suffix kuzita rekiyi. -data
, i.e. ndagamuchira certificate-authority-data
uye zvakadaro.
Zvitupa zvine kubeadm
Nekusunungurwa
kubeadm alpha kubeconfig user --client-name=mynewuser --apiserver-advertise-address 192.168.100.200
NB: Zvinodiwa shambadza kero inogona kuwanikwa mune api-server config, iyo nekusarudzika inowanikwa mukati /etc/kubernetes/manifests/kube-apiserver.yaml
.
Iyo inokonzeresa config ichabuda kune stdout. Inoda kuchengetwa mukati ~/.kube/config
mushandisi account kana kune faira rakatsanangurwa mune inosiyana nharaunda KUBECONFIG
.
Dig Deep
Kune avo vanoda kunzwisisa nyaya dzinotsanangurwa zvakanyanya:
-
Chitsauko chakaparadzana pakushanda nezvitupa mune zviri pamutemo Kubernetes zvinyorwa; -
chinyorwa chakanaka kubva kuBitnami , umo nyaya yezvitupa inobatwa kubva pakuona kunoshanda. -
general zvinyorwa pakutendeseka muKubernetes.
Mvumo
Iyo yakasarudzika yakatenderwa account haina kodzero yekushanda pane cluster. Kupa mvumo, Kubernetes inoshandisa nzira yekubvumidza.
Isati yasvika vhezheni 1.6, Kubernetes akashandisa mhando yemvumo inonzi ABAC (Attribute-based access control). Tsanangudzo pamusoro payo dzinogona kuwanikwa mukati
Iyo yazvino (uye yakanyanya kuchinjika) nzira yekuparadzanisa kodzero dzekuwana kune sumbu inonzi RBAC (
Kugonesa RBAC, unofanira kutanga Kubernetes api-server neparameter --authorization-mode=RBAC
. Iwo ma paramita akaiswa mumanifesiti neapi-server kumisikidza, iyo nekusarudzika inowanikwa munzira. /etc/kubernetes/manifests/kube-apiserver.yaml
, muchikamu command
. Nekudaro, RBAC yakatogoneswa nekusarudzika, saka kazhinji haufanirwe kunetsekana nazvo: unogona kuonesa izvi nekukosha. authorization-mode
(mune yatotaurwa kube-apiserver.yaml
) Nenzira, pakati pezvinoreva panogona kunge paine mamwe marudzi emvumo (node
, webhook
, always allow
), asi isu tichasiya kufunga kwavo kunze kwechikamu chezvinyorwa.
Nenzira, isu takatoburitsa
Aya anotevera API masangano anoshandiswa kudzora kupinda muKubernetes kuburikidza neRBAC:
-
Role
ΠΈClusterRole
- mabasa anoshanda kutsanangura kodzero dzekuwana: -
Role
inokubvumira kutsanangura kodzero mukati mezita rezita; -
ClusterRole
- mukati mesumbu, zvinosanganisira kusanganisa-chaiwo zvinhu zvakaita semanodhi, asiri-zviwanikwa urls (kureva kuti haina hukama neKubernetes zviwanikwa - semuenzaniso,/version
,/logs
,/api*
); -
RoleBinding
ΠΈClusterRoleBinding
- inoshandiswa kusungiraRole
ΠΈClusterRole
kumushandisi, boka revashandisi kana ServiceAccount.
Basa uye RoleBinding masangano anoganhurirwa nenzvimbo yezita, i.e. inofanira kuva mukati menzvimbo imwe chete yemazita. Nekudaro, RoleBinding inogona kureva ClusterRole, iyo inokutendera iwe kuti ugadzire seti yemvumo dzegeneric uye kudzora kuwana uchiishandisa.
Mabasa anotsanangura kodzero uchishandisa seti yemitemo ine:
- API mapoka - ona
zvinyorwa zvepamutemo neapiGroups uye zvakabudakubectl api-resources
; - zviwanikwa (Resources:
pod
,namespace
,deployment
zvichingoenda zvakadaro.); - Verbs (zviito:
set
,update
zvichingoenda zvakadaro.). - mazita ekushandisa (
resourceNames
) - yenyaya kana iwe uchida kupa mukana kune chaiyo sosi, uye kwete kune ese zviwanikwa zverudzi urwu.
Ongororo yakadzama yemvumo muKubernetes inogona kuwanikwa pane peji
Mienzaniso yeRBAC masangano
Zvakareruka Role
, iyo inokutendera kuti uwane runyoro uye chimiro chepods uye wovatarisa munzvimbo yezita target-namespace
:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: target-namespace
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
Muenzaniso: ClusterRole
, iyo inokutendera kuti utore runyorwa uye chimiro chepods uye wovatarisa muboka rose:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# ΡΠ΅ΠΊΡΠΈΠΈ "namespace" Π½Π΅Ρ, ΡΠ°ΠΊ ΠΊΠ°ΠΊ ClusterRole Π·Π°Π΄Π΅ΠΉΡΡΠ²ΡΠ΅Ρ Π²Π΅ΡΡ ΠΊΠ»Π°ΡΡΠ΅Ρ
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
Muenzaniso: RoleBinding
, iyo inobvumira mushandisi mynewuser
"verenga" mapodhi munzvimbo yezita my-namespace
:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: target-namespace
subjects:
- kind: User
name: mynewuser # ΠΈΠΌΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ Π·Π°Π²ΠΈΡΠΈΠΌΠΎ ΠΎΡ ΡΠ΅Π³ΠΈΡΡΡΠ°!
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role # Π·Π΄Π΅ΡΡ Π΄ΠΎΠ»ΠΆΠ½ΠΎ Π±ΡΡΡ βRoleβ ΠΈΠ»ΠΈ βClusterRoleβ
name: pod-reader # ΠΈΠΌΡ Role, ΡΡΠΎ Π½Π°Ρ
ΠΎΠ΄ΠΈΡΡΡ Π² ΡΠΎΠΌ ΠΆΠ΅ namespace,
# ΠΈΠ»ΠΈ ΠΈΠΌΡ ClusterRole, ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ ΠΊΠΎΡΠΎΡΠΎΠΉ
# Ρ
ΠΎΡΠΈΠΌ ΡΠ°Π·ΡΠ΅ΡΠΈΡΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ
apiGroup: rbac.authorization.k8s.io
Chiitiko chekuongorora
Schematically, iyo Kubernetes architecture inogona kumiririrwa sezvinotevera:
Chinhu chakakosha Kubernetes chikamu chine basa rekugadzirisa zvikumbiro ndeye api-server. Mashandiro ese ari pacluster anoenda nepairi. Iwe unogona kuverenga zvakawanda nezve aya emukati masisitimu muchinyorwa "
Kuongorora kweSystem chinhu chinonakidza muKubernetes, icho chakavharwa nekusarudzika. Iyo inokutendera iwe kuti utore mafoni ese kuKubernetes API. Sezvaungafungidzira, zvese zviito zvine chekuita nekutarisa uye kushandura mamiriro esumbu anoitwa kuburikidza neiyi API. Tsanangudzo yakanaka yekugona kwayo inogona (semazuva ese) kuwanikwa mukati
Uye saka, kugonesa kuongorora, isu tinofanirwa kupfuudza matatu anodiwa paramita kumudziyo mune api-server, ayo anotsanangurwa zvakadzama pazasi:
-
--audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml
-
--audit-log-path=/var/log/kube-audit/audit.log
-
--audit-log-format=json
Kuwedzera kune aya matatu anodiwa paramita, kune akawanda ekuwedzera marongero ane chekuita nekuongorora: kubva kutenderera kutenderera kune webhook tsananguro. Muenzaniso weiyo log rotation parameters:
-
--audit-log-maxbackup=10
-
--audit-log-maxsize=100
-
--audit-log-maxage=7
Asi isu hatizogara pazviri zvakadzama - iwe unogona kuwana zvese zvese mukati
Sezvatotaurwa, ese ma parameter akaiswa mumanifesiti neapi-server kumisikidzwa (nekusagadzikana /etc/kubernetes/manifests/kube-apiserver.yaml
), muchikamu command
. Ngatidzokei kune matatu anodiwa ma parameter toaongorora:
-
audit-policy-file
- nzira yefaira yeYAML inotsanangura mutemo wekuongorora. Tichazodzokera kune zvirimo gare gare, asi ikozvino ndichacherechedza kuti faira inofanira kuverengwa neapi-server maitiro. Naizvozvo, zvinodikanwa kuiisa mukati memudziyo, iyo iwe yaunogona kuwedzera inotevera kodhi kune akakodzera zvikamu zve config:volumeMounts: - mountPath: /etc/kubernetes/policies name: policies readOnly: true volumes: - hostPath: path: /etc/kubernetes/policies type: DirectoryOrCreate name: policies
-
audit-log-path
- nzira yekuenda kune iyo log file. Iyo nzira inofanirwawo kuwanikwa kune api-server maitiro, saka isu tinotsanangura kukwira kwayo nenzira imwechete:volumeMounts: - mountPath: /var/log/kube-audit name: logs readOnly: false volumes: - hostPath: path: /var/log/kube-audit type: DirectoryOrCreate name: logs
-
audit-log-format
-Audit log format. The default isjson
, asi iyo legacy text format inowanikwawo (legacy
).
Audit Policy
Iye zvino nezve faira rataurwa rinotsanangura mutemo wekutema miti. Pfungwa yekutanga yekuongorora mutemo ndeye level
, danho rekutema miti. Izvo zvinotevera:
-
None
- usapinda; -
Metadata
- log yekukumbira metadata: mushandisi, nguva yekukumbira, chinangwa chekushandisa (pod, namespace, nezvimwewo), chiito cherudzi (chiito), nezvimwe; -
Request
- log metadata uye muviri wekukumbira; -
RequestResponse
- log metadata, muviri wekukumbira uye muviri wekupindura.
Matanho maviri ekupedzisira (Request
ΠΈ RequestResponse
) usatore zvikumbiro zvisina kuwana zviwanikwa (kuwana kune anonzi asiri-zviwanikwa urls).
Uyewo zvikumbiro zvose zvinopinda matanho akati wandei:
-
RequestReceived
- iyo nhanho apo chikumbiro chinogamuchirwa ne processor uye haisati yaendeswa mberi pamwe neketani yema processor; -
ResponseStarted
- misoro yemhinduro inotumirwa, asi muviri wekupindura usati watumirwa. Yakagadzirirwa kubvunza kwenguva refu (semuenzaniso,watch
); -
ResponseComplete
- mutumbi wekupindura wakatumirwa, hapana rumwe ruzivo ruchatumirwa; -
Panic
- zviitiko zvinogadzirwa kana mamiriro asina kujairika aonekwa.
Kuti usvetuke matanho aungashandisa omitStages
.
Mune faira remitemo, tinogona kutsanangura zvikamu zvinoverengeka zvine mazinga akasiyana ekutema matanda. Mutemo wekutanga wekufananidza unowanikwa mukutsanangurwa kwepolicy uchashandiswa.
Iyo kubelet daemon monitors inochinja mumanifest ine api-server kumisikidza uye, kana paine yaonekwa, inotangazve mudziyo neapi-server. Asi pane tsanangudzo inokosha: shanduko mufaira repolicy haichafuratirwi nayo. Mushure mekuita shanduko kune faira repolicy, iwe unozofanirwa kutangazve iyo api-server nemaoko. Sezvo api-server yatangwa se kubectl delete
hazvizoite kuti itangezve. Iwe unofanirwa kuzviita nemaoko docker stop
pakube-masters, uko mutemo wekuongorora wakashandurwa:
docker stop $(docker ps | grep k8s_kube-apiserver | awk '{print $1}')
Kana uchigonesa ongororo, zvakakosha kurangarira izvozvo mutoro uri pa kube-apiserver unowedzera. Kunyanya, kushandiswa kwendangariro kuchengetedza mamiriro ekukumbira kunowedzera. Kudhinda kunotanga chete mushure mekunge musoro wemhinduro watumirwa. Kuremerwa kunoenderanawo nekugadziriswa kwemutemo wekuongorora.
Mienzaniso yemitemo
Ngatitarisei kuumbwa kwemafaira emitemo tichishandisa mienzaniso.
Heino faira iri nyore policy
kurodha zvese pamwero Metadata
:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
Mune mutemo unogona kutsanangura runyorwa rwevashandisi (Users
ΠΈ ServiceAccounts
) uye mapoka evashandisi. Semuenzaniso, iyi ndiyo nzira yatisingatarise vashandisi vehurongwa, asi nyora zvimwe zvese pamwero Request
:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: None
userGroups:
- "system:serviceaccounts"
- "system:nodes"
users:
- "system:anonymous"
- "system:apiserver"
- "system:kube-controller-manager"
- "system:kube-scheduler"
- level: Request
Zvinokwanisika zvakare kutsanangura zvinangwa:
- nzvimbo dzezita (
namespaces
); - Verbs (zviito:
get
,update
,delete
nevamwe); - zviwanikwa (Resources, iyo:
pod
,configmaps
nezvimwewo) uye mapoka ezviwanikwa (apiGroups
).
Ngwarira! Zviwanikwa uye mapoka ezviwanikwa (API mapoka, i.e. apiGroups), pamwe neshanduro dzawo dzakaiswa musumbu, dzinogona kuwanikwa uchishandisa mirairo:
kubectl api-resources
kubectl api-versions
Iyi inotevera yekuongorora mutemo inopihwa seratidziro yeakanakisa maitiro mukati
apiVersion: audit.k8s.io/v1beta1
kind: Policy
# ΠΠ΅ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°ΡΡ ΡΡΠ°Π΄ΠΈΡ RequestReceived
omitStages:
- "RequestReceived"
rules:
# ΠΠ΅ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°ΡΡ ΡΠΎΠ±ΡΡΠΈΡ, ΡΡΠΈΡΠ°ΡΡΠΈΠ΅ΡΡ ΠΌΠ°Π»ΠΎΠ·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΡΠΌΠΈ ΠΈ Π½Π΅ ΠΎΠΏΠ°ΡΠ½ΡΠΌΠΈ:
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # ΡΡΠΎ api group Ρ ΠΏΡΡΡΡΠΌ ΠΈΠΌΠ΅Π½Π΅ΠΌ, ΠΊ ΠΊΠΎΡΠΎΡΠΎΠΌΡ ΠΎΡΠ½ΠΎΡΡΡΡΡ
# Π±Π°Π·ΠΎΠ²ΡΠ΅ ΡΠ΅ΡΡΡΡΡ Kubernetes, Π½Π°Π·ΡΠ²Π°Π΅ΠΌΡΠ΅ βcoreβ
resources: ["endpoints", "services"]
- level: None
users: ["system:unsecured"]
namespaces: ["kube-system"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["configmaps"]
- level: None
users: ["kubelet"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
users:
- system:kube-controller-manager
- system:kube-scheduler
- system:serviceaccount:kube-system:endpoint-controller
verbs: ["get", "update"]
namespaces: ["kube-system"]
resources:
- group: "" # core
resources: ["endpoints"]
- level: None
users: ["system:apiserver"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["namespaces"]
# ΠΠ΅ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°ΡΡ ΠΎΠ±ΡΠ°ΡΠ΅Π½ΠΈΡ ΠΊ read-only URLs:
- level: None
nonResourceURLs:
- /healthz*
- /version
- /swagger*
# ΠΠ΅ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°ΡΡ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΡ, ΠΎΡΠ½ΠΎΡΡΡΠΈΠ΅ΡΡ ΠΊ ΡΠΈΠΏΡ ΡΠ΅ΡΡΡΡΠΎΠ² βΡΠΎΠ±ΡΡΠΈΡβ:
- level: None
resources:
- group: "" # core
resources: ["events"]
# Π Π΅ΡΡΡΡΡ ΡΠΈΠΏΠ° Secret, ConfigMap ΠΈ TokenReview ΠΌΠΎΠ³ΡΡ ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΡ ΡΠ΅ΠΊΡΠ΅ΡΠ½ΡΠ΅ Π΄Π°Π½Π½ΡΠ΅,
# ΠΏΠΎΡΡΠΎΠΌΡ Π»ΠΎΠ³ΠΈΡΡΠ΅ΠΌ ΡΠΎΠ»ΡΠΊΠΎ ΠΌΠ΅ΡΠ°Π΄Π°Π½Π½ΡΠ΅ ΡΠ²ΡΠ·Π°Π½Π½ΡΡ
Ρ Π½ΠΈΠΌΠΈ Π·Π°ΠΏΡΠΎΡΠΎΠ²
- level: Metadata
resources:
- group: "" # core
resources: ["secrets", "configmaps"]
- group: authentication.k8s.io
resources: ["tokenreviews"]
# ΠΠ΅ΠΉΡΡΠ²ΠΈΡ ΡΠΈΠΏΠ° get, list ΠΈ watch ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ ΡΠ΅ΡΡΡΡΠΎΡΠΌΠΊΠΈΠΌΠΈ; Π½Π΅ Π»ΠΎΠ³ΠΈΡΡΠ΅ΠΌ ΠΈΡ
- level: Request
verbs: ["get", "list", "watch"]
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# Π£ΡΠΎΠ²Π΅Π½Ρ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ Π΄Π»Ρ ΡΡΠ°Π½Π΄Π°ΡΡΠ½ΡΡ
ΡΠ΅ΡΡΡΡΠΎΠ² API
- level: RequestResponse
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# Π£ΡΠΎΠ²Π΅Π½Ρ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ Π΄Π»Ρ Π²ΡΠ΅Ρ
ΠΎΡΡΠ°Π»ΡΠ½ΡΡ
Π·Π°ΠΏΡΠΎΡΠΎΠ²
- level: Metadata
Mumwe muenzaniso wakanaka wekuongorora mutemo ndeye
Kukurumidza kupindura kune zviitiko zvekuongorora, zvinogoneka tsanangura webhook. Nyaya iyi yakafukidzwa mukati
Migumisiro
Chinyorwa chinopa tarisiro yeyakakosha nzira dzekuchengetedza muKubernetes zvikwata, izvo zvinokutendera iwe kuti ugadzire emunhu maakaundi emushandisi, kupatsanura kodzero dzavo, uye kurekodha zviito zvavo. Ndinotarisira kuti zvichave zvinobatsira kune avo vanotarisana nenyaya dzakadaro mudzidziso kana mukuita. Ini zvakare ndinokurudzira kuti uverenge rondedzero yezvimwe zvinhu pamusoro penyaya yekuchengetedza muKubernetes, iyo inopiwa mu "PS" - pamwe pakati pavo iwe uchawana ruzivo rwakakosha pamatambudziko anoenderana newe.
PS
Verenga zvakare pablog yedu:
- Β«
33+ Zvishandiso zveKubernetes Chengetedzo "; - Β«
Nhanganyaya yeKubernetes Network Policies yeChengetedzo Nyanzvi "; - Β«
Kunzwisisa RBAC muKubernetes "; - Β«
9 Yakanakisa Maitiro eKubernetes Chengetedzo "; - Β«
11 Nzira dzeku (Kwete) Kuve Mubatwa weKubernetes Hack ".
Source: www.habr.com