Iyo ABCs yeKubernetes Chengetedzo: Kusimbisa, Mvumo, Kuongorora

Nokukurumidza kana kuti gare gare, mukushanda kwegadziriro ipi zvayo, nyaya yekuchengeteka inomuka: kuve nechokwadi chechokwadi, kupatsanurwa kwekodzero, kuongorora uye mamwe mabasa. Yakatogadzirirwa Kubernetes mhinduro dzakawanda, iyo inokubvumira kuti uwane kutevedzera mitemo kunyange mumamiriro ezvinhu anonyanya kudiwa ... Izvo zvinhu zvakafanana zvakatsaurirwa kune zvakakosha zvekuchengetedza zvinoshandiswa mukati memaitiro akavakirwa-mukati eK8s. Chokutanga pane zvose, zvichave zvinobatsira kune avo vari kutanga kuzivana naKubernetes - sekutanga kwekudzidza nyaya dzine chokuita nekuchengeteka.

Kusimbiswa

Kune marudzi maviri evashandisi muKubernetes:

• Maakaundi Ebasa -akaundi anotungamirirwa neKubernetes API;
• Users - "vakajairika" vashandisi vanotungamirwa nevekunze, vakazvimiririra masevhisi.

Musiyano mukuru pakati pemhando idzi ndewekuti kuSevhisi Accounts kune zvakakosha zvinhu muKubernetes API (zvinodaidzwa izvozvo - ServiceAccounts), iyo yakasungirirwa kune nzvimbo yezita uye seti yemvumo yedata yakachengetwa musumbu muzvinhu zveChakavanzika mhando. Vashandisi vakadai (Maakaundi eSevhisi) vanonyanya kuitirwa kubata kodzero dzekuwana kuKubernetes API yemaitiro anomhanya muKubernetes cluster.

Vakajairwa Vashandisi havana mapindiro muKubernetes API: ivo vanofanirwa kutungamirwa nemaitiro ekunze. Izvo zvakagadzirirwa vanhu kana maitiro anogara kunze kwesumbu.

Chikumbiro chega chega cheAPI chakabatana neakaundi yeSevhisi, Mushandisi, kana inoonekwa isingazivikanwe.

Data yechokwadi yemushandisi inosanganisira:

• Username - zita rekushandisa (kesi inonzwa!);
• UID - tambo inoverengeka yemushandisi yekuzivisa tambo "inowirirana uye yakasarudzika pane zita rekushandisa";
• Groups - rondedzero yemapoka ayo mushandisi ndewe;
• zvimwezvo - mamwe minda anogona kushandiswa nemvumo meshini.

Kubernetes inogona kushandisa nhamba huru yenzira dzechokwadi: X509 zvitupa, Bearer tokens, kutsigira proxy, HTTP Basic Auth. Uchishandisa mashandiro aya, unogona kuita nhamba huru yezvirongwa zvemvumo: kubva pane static faira ine mapassword kuenda kuOpenID OAuth2.

Uyezve, zvinokwanisika kushandisa zvirongwa zvemvumo zvakati wandei panguva imwe chete. Nekusagadzikana, iyo cluster inoshandisa:

• sevhisi account tokens - yeSevhisi Akaundi;
• X509 - yeVashandisi.

Mubvunzo wekutonga ServiceAccounts uri pamusoro pechikamu chechinyorwa ichi, asi kune avo vanoda kujairana nenyaya iyi zvakadzama, ndinokurudzira kutanga nazvo. mapeji ezvinyorwa zvepamutemo. Tichatarisisa nyaya yekuti zvitupa zveX509 zvinoshanda sei.

Zvitupa zvevashandisi (X.509)

Iyo yekare nzira yekushanda nezvitupa inosanganisira:

• chizvarwa chakakosha:

  mkdir -p ~/mynewuser/.certs/
  openssl genrsa -out ~/.certs/mynewuser.key 2048

• kugadzira chikumbiro chetifiketi:

  openssl req -new -key ~/.certs/mynewuser.key -out ~/.certs/mynewuser.csr -subj "/CN=mynewuser/O=company"

• kugadzirisa chikumbiro chetifiketi uchishandisa Kubernetes cluster CA makiyi, kuwana chitupa chemushandisi (kuti uwane chitupa, unofanirwa kushandisa account inokwanisa kuwana Kubernetes cluster CA kiyi, iyo nekusarudzika inowanikwa mukati. /etc/kubernetes/pki/ca.key):

  openssl x509 -req -in ~/.certs/mynewuser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ~/.certs/mynewuser.crt -days 500

• kugadzira faira yekumisikidza:
  • tsananguro yecluster (taura kero uye nzvimbo yeCA setifiketi faira kune chaiyo cluster yekumisikidza):

    kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.100.200:6443

  • kana sei kweteyakakurudzirwa sarudzo - haufanirwe kutsanangura midzi chitupa (ipapo kubectl haizotarise iko kurongeka kweiyo cluster's api-server):

    kubectl config set-cluster kubernetes  --insecure-skip-tls-verify=true --server=https://192.168.100.200:6443

  • kuwedzera mushandisi kune iyo faira yekumisikidza:

    kubectl config set-credentials mynewuser --client-certificate=.certs/mynewuser.crt  --client-key=.certs/mynewuser.key

  • kuwedzera mamiriro:

    kubectl config set-context mynewuser-context --cluster=kubernetes --namespace=target-namespace --user=mynewuser

  • default context assignment:

    kubectl config use-context mynewuser-context

Mushure mekuita manipulations ari pamusoro, mufaira .kube/config config seizvi ichagadzirwa:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/pki/ca.crt
    server: https://192.168.100.200:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: target-namespace
    user: mynewuser
  name: mynewuser-context
current-context: mynewuser-context
kind: Config
preferences: {}
users:
- name: mynewuser
  user:
    client-certificate: /home/mynewuser/.certs/mynewuser.crt
    client-key: /home/mynewuser/.certs/mynewuser.key

Kuita kuti zvive nyore kuendesa config pakati peakaunti nemaseva, zvinobatsira kugadzirisa kukosha kweanotevera makiyi:

• certificate-authority
• client-certificate
• client-key

Kuti uite izvi, unogona kukodha mafaera akatsanangurwa mavari uchishandisa base64 uye unyore iwo mugadziriro, uchiwedzera suffix kuzita rekiyi. -data, i.e. ndagamuchira certificate-authority-data uye zvakadaro.

Zvitupa zvine kubeadm

Nekusunungurwa Kubernetes 1.15 kushanda nezvitupa kwave nyore nekuda kweiyo alpha vhezheni yerutsigiro rwayo mukati kubeadm utility. Semuenzaniso, izvi ndizvo zvinogadzira faira yekumisikidza ine makiyi emushandisi angangoita senge:

kubeadm alpha kubeconfig user --client-name=mynewuser --apiserver-advertise-address 192.168.100.200

NB: Zvinodiwa shambadza kero inogona kuwanikwa mune api-server config, iyo nekusarudzika inowanikwa mukati /etc/kubernetes/manifests/kube-apiserver.yaml.

Iyo inokonzeresa config ichabuda kune stdout. Inoda kuchengetwa mukati ~/.kube/config mushandisi account kana kune faira rakatsanangurwa mune inosiyana nharaunda KUBECONFIG.

Dig Deep

Kune avo vanoda kunzwisisa nyaya dzinotsanangurwa zvakanyanya:

• Chitsauko chakaparadzana pakushanda nezvitupa mune zviri pamutemo Kubernetes zvinyorwa;
• chinyorwa chakanaka kubva kuBitnami, umo nyaya yezvitupa inobatwa kubva pakuona kunoshanda.
• general zvinyorwa pakutendeseka muKubernetes.

Mvumo

Iyo yakasarudzika yakatenderwa account haina kodzero yekushanda pane cluster. Kupa mvumo, Kubernetes inoshandisa nzira yekubvumidza.

Isati yasvika vhezheni 1.6, Kubernetes akashandisa mhando yemvumo inonzi ABAC (Attribute-based access control). Tsanangudzo pamusoro payo dzinogona kuwanikwa mukati zvinyorwa zvepamutemo. Iyi nzira parizvino inoonekwa senhaka, asi iwe unogona kuishandisa pamwe nemamwe marudzi echokwadi.

Iyo yazvino (uye yakanyanya kuchinjika) nzira yekuparadzanisa kodzero dzekuwana kune sumbu inonzi RBAC (Basa-rakavakirwa mukana wekutonga) Yakanzi yakagadzikana kubva pane shanduro Kubernetes 1.8. RBAC inoshandisa modhi yekodzero umo zvese zvisingatenderwe zvakajeka zvinorambidzwa.
Kugonesa RBAC, unofanira kutanga Kubernetes api-server neparameter --authorization-mode=RBAC. Iwo ma paramita akaiswa mumanifesiti neapi-server kumisikidza, iyo nekusarudzika inowanikwa munzira. /etc/kubernetes/manifests/kube-apiserver.yaml, muchikamu command. Nekudaro, RBAC yakatogoneswa nekusarudzika, saka kazhinji haufanirwe kunetsekana nazvo: unogona kuonesa izvi nekukosha. authorization-mode (mune yatotaurwa kube-apiserver.yaml) Nenzira, pakati pezvinoreva panogona kunge paine mamwe marudzi emvumo (node, webhook, always allow), asi isu tichasiya kufunga kwavo kunze kwechikamu chezvinyorwa.

Nenzira, isu takatoburitsa chinyorwa ine tsananguro yakadzama yemisimboti uye maficha ekushanda neRBAC, saka kuenderera mberi ini ndichazviganhurira kune pfupi rondedzero yezvakakosha uye mienzaniso.

Aya anotevera API masangano anoshandiswa kudzora kupinda muKubernetes kuburikidza neRBAC:

• Role и ClusterRole - mabasa anoshanda kutsanangura kodzero dzekuwana:
• Role inokubvumira kutsanangura kodzero mukati mezita rezita;
• ClusterRole - mukati mesumbu, zvinosanganisira kusanganisa-chaiwo zvinhu zvakaita semanodhi, asiri-zviwanikwa urls (kureva kuti haina hukama neKubernetes zviwanikwa - semuenzaniso, /version, /logs, /api*);
• RoleBinding и ClusterRoleBinding - inoshandiswa kusungira Role и ClusterRole kumushandisi, boka revashandisi kana ServiceAccount.

Basa uye RoleBinding masangano anoganhurirwa nenzvimbo yezita, i.e. inofanira kuva mukati menzvimbo imwe chete yemazita. Nekudaro, RoleBinding inogona kureva ClusterRole, iyo inokutendera iwe kuti ugadzire seti yemvumo dzegeneric uye kudzora kuwana uchiishandisa.

Mabasa anotsanangura kodzero uchishandisa seti yemitemo ine:

• API mapoka - ona zvinyorwa zvepamutemo neapiGroups uye zvakabuda kubectl api-resources;
• zviwanikwa (Resources: pod, namespace, deployment zvichingoenda zvakadaro.);
• Verbs (zviito: set, update zvichingoenda zvakadaro.).
• mazita ekushandisa (resourceNames) - yenyaya kana iwe uchida kupa mukana kune chaiyo sosi, uye kwete kune ese zviwanikwa zverudzi urwu.

Ongororo yakadzama yemvumo muKubernetes inogona kuwanikwa pane peji zvinyorwa zvepamutemo. Pane kudaro (kana kuti, kuwedzera kune izvi), ini ndichapa mienzaniso inoratidza basa rake.

Mienzaniso yeRBAC masangano

Zvakareruka Role, iyo inokutendera kuti uwane runyoro uye chimiro chepods uye wovatarisa munzvimbo yezita target-namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: target-namespace
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

Muenzaniso: ClusterRole, iyo inokutendera kuti utore runyorwa uye chimiro chepods uye wovatarisa muboka rose:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # секции "namespace" нет, так как ClusterRole задействует весь кластер
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

Muenzaniso: RoleBinding, iyo inobvumira mushandisi mynewuser "verenga" mapodhi munzvimbo yezita my-namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: target-namespace
subjects:
- kind: User
  name: mynewuser # имя пользователя зависимо от регистра!
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role # здесь должно быть “Role” или “ClusterRole”
  name: pod-reader # имя Role, что находится в том же namespace,
                   # или имя ClusterRole, использование которой
                   # хотим разрешить пользователю
  apiGroup: rbac.authorization.k8s.io

Chiitiko chekuongorora

Schematically, iyo Kubernetes architecture inogona kumiririrwa sezvinotevera:

Chinhu chakakosha Kubernetes chikamu chine basa rekugadzirisa zvikumbiro ndeye api-server. Mashandiro ese ari pacluster anoenda nepairi. Iwe unogona kuverenga zvakawanda nezve aya emukati masisitimu muchinyorwa "Chii chinoitika muKubernetes kana iwe uchimhanya kubectl run?".

Kuongorora kweSystem chinhu chinonakidza muKubernetes, icho chakavharwa nekusarudzika. Iyo inokutendera iwe kuti utore mafoni ese kuKubernetes API. Sezvaungafungidzira, zvese zviito zvine chekuita nekutarisa uye kushandura mamiriro esumbu anoitwa kuburikidza neiyi API. Tsanangudzo yakanaka yekugona kwayo inogona (semazuva ese) kuwanikwa mukati zvinyorwa zvepamutemo K8s. Zvadaro, ndichaedza kupa musoro wacho mumutauro uri nyore.

Uye saka, kugonesa kuongorora, isu tinofanirwa kupfuudza matatu anodiwa paramita kumudziyo mune api-server, ayo anotsanangurwa zvakadzama pazasi:

• --audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml
• --audit-log-path=/var/log/kube-audit/audit.log
• --audit-log-format=json

Kuwedzera kune aya matatu anodiwa paramita, kune akawanda ekuwedzera marongero ane chekuita nekuongorora: kubva kutenderera kutenderera kune webhook tsananguro. Muenzaniso weiyo log rotation parameters:

• --audit-log-maxbackup=10
• --audit-log-maxsize=100
• --audit-log-maxage=7

Asi isu hatizogara pazviri zvakadzama - iwe unogona kuwana zvese zvese mukati kube-apiserver zvinyorwa.

Sezvatotaurwa, ese ma parameter akaiswa mumanifesiti neapi-server kumisikidzwa (nekusagadzikana /etc/kubernetes/manifests/kube-apiserver.yaml), muchikamu command. Ngatidzokei kune matatu anodiwa ma parameter toaongorora:

1. audit-policy-file - nzira yefaira yeYAML inotsanangura mutemo wekuongorora. Tichazodzokera kune zvirimo gare gare, asi ikozvino ndichacherechedza kuti faira inofanira kuverengwa neapi-server maitiro. Naizvozvo, zvinodikanwa kuiisa mukati memudziyo, iyo iwe yaunogona kuwedzera inotevera kodhi kune akakodzera zvikamu zve config:

     volumeMounts:
       - mountPath: /etc/kubernetes/policies
         name: policies
         readOnly: true
     volumes:
     - hostPath:
         path: /etc/kubernetes/policies
         type: DirectoryOrCreate
       name: policies

2. audit-log-path - nzira yekuenda kune iyo log file. Iyo nzira inofanirwawo kuwanikwa kune api-server maitiro, saka isu tinotsanangura kukwira kwayo nenzira imwechete:

     volumeMounts:
       - mountPath: /var/log/kube-audit
         name: logs
         readOnly: false
     volumes:
     - hostPath:
         path: /var/log/kube-audit
         type: DirectoryOrCreate
       name: logs

3. audit-log-format -Audit log format. The default is json, asi iyo legacy text format inowanikwawo (legacy).

Audit Policy

Iye zvino nezve faira rataurwa rinotsanangura mutemo wekutema miti. Pfungwa yekutanga yekuongorora mutemo ndeye level, danho rekutema miti. Izvo zvinotevera:

• None - usapinda;
• Metadata - log yekukumbira metadata: mushandisi, nguva yekukumbira, chinangwa chekushandisa (pod, namespace, nezvimwewo), chiito cherudzi (chiito), nezvimwe;
• Request - log metadata uye muviri wekukumbira;
• RequestResponse - log metadata, muviri wekukumbira uye muviri wekupindura.

Matanho maviri ekupedzisira (Request и RequestResponse) usatore zvikumbiro zvisina kuwana zviwanikwa (kuwana kune anonzi asiri-zviwanikwa urls).

Uyewo zvikumbiro zvose zvinopinda matanho akati wandei:

• RequestReceived - iyo nhanho apo chikumbiro chinogamuchirwa ne processor uye haisati yaendeswa mberi pamwe neketani yema processor;
• ResponseStarted - misoro yemhinduro inotumirwa, asi muviri wekupindura usati watumirwa. Yakagadzirirwa kubvunza kwenguva refu (semuenzaniso, watch);
• ResponseComplete - mutumbi wekupindura wakatumirwa, hapana rumwe ruzivo ruchatumirwa;
• Panic - zviitiko zvinogadzirwa kana mamiriro asina kujairika aonekwa.

Kuti usvetuke matanho aungashandisa omitStages.

Mune faira remitemo, tinogona kutsanangura zvikamu zvinoverengeka zvine mazinga akasiyana ekutema matanda. Mutemo wekutanga wekufananidza unowanikwa mukutsanangurwa kwepolicy uchashandiswa.

Iyo kubelet daemon monitors inochinja mumanifest ine api-server kumisikidza uye, kana paine yaonekwa, inotangazve mudziyo neapi-server. Asi pane tsanangudzo inokosha: shanduko mufaira repolicy haichafuratirwi nayo. Mushure mekuita shanduko kune faira repolicy, iwe unozofanirwa kutangazve iyo api-server nemaoko. Sezvo api-server yatangwa se static pod, chikwata kubectl delete hazvizoite kuti itangezve. Iwe unofanirwa kuzviita nemaoko docker stop pakube-masters, uko mutemo wekuongorora wakashandurwa:

docker stop $(docker ps | grep k8s_kube-apiserver | awk '{print $1}')

Kana uchigonesa ongororo, zvakakosha kurangarira izvozvo mutoro uri pa kube-apiserver unowedzera. Kunyanya, kushandiswa kwendangariro kuchengetedza mamiriro ekukumbira kunowedzera. Kudhinda kunotanga chete mushure mekunge musoro wemhinduro watumirwa. Kuremerwa kunoenderanawo nekugadziriswa kwemutemo wekuongorora.

Mienzaniso yemitemo

Ngatitarisei kuumbwa kwemafaira emitemo tichishandisa mienzaniso.

Heino faira iri nyore policykurodha zvese pamwero Metadata:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata

Mune mutemo unogona kutsanangura runyorwa rwevashandisi (Users и ServiceAccounts) uye mapoka evashandisi. Semuenzaniso, iyi ndiyo nzira yatisingatarise vashandisi vehurongwa, asi nyora zvimwe zvese pamwero Request:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  - level: None
    userGroups:
      - "system:serviceaccounts"
      - "system:nodes"
    users:
      - "system:anonymous"
      - "system:apiserver"
      - "system:kube-controller-manager"
      - "system:kube-scheduler"
  - level: Request

Zvinokwanisika zvakare kutsanangura zvinangwa:

• nzvimbo dzezita (namespaces);
• Verbs (zviito: get, update, delete nevamwe);
• zviwanikwa (Resources, iyo: pod, configmaps nezvimwewo) uye mapoka ezviwanikwa (apiGroups).

Ngwarira! Zviwanikwa uye mapoka ezviwanikwa (API mapoka, i.e. apiGroups), pamwe neshanduro dzawo dzakaiswa musumbu, dzinogona kuwanikwa uchishandisa mirairo:

kubectl api-resources
kubectl api-versions

Iyi inotevera yekuongorora mutemo inopihwa seratidziro yeakanakisa maitiro mukati Alibaba Cloud zvinyorwa:

apiVersion: audit.k8s.io/v1beta1
kind: Policy
# Не логировать стадию RequestReceived
omitStages:
  - "RequestReceived"
rules:
  # Не логировать события, считающиеся малозначительными и не опасными:
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
      - group: "" # это api group с пустым именем, к которому относятся
                  # базовые ресурсы Kubernetes, называемые “core”
        resources: ["endpoints", "services"]
  - level: None
    users: ["system:unsecured"]
    namespaces: ["kube-system"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["configmaps"]
  - level: None
    users: ["kubelet"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    userGroups: ["system:nodes"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    users:
      - system:kube-controller-manager
      - system:kube-scheduler
      - system:serviceaccount:kube-system:endpoint-controller
    verbs: ["get", "update"]
    namespaces: ["kube-system"]
    resources:
      - group: "" # core
        resources: ["endpoints"]
  - level: None
    users: ["system:apiserver"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["namespaces"]
  # Не логировать обращения к read-only URLs:
  - level: None
    nonResourceURLs:
      - /healthz*
      - /version
      - /swagger*
  # Не логировать сообщения, относящиеся к типу ресурсов “события”:
  - level: None
    resources:
      - group: "" # core
        resources: ["events"]
  # Ресурсы типа Secret, ConfigMap и TokenReview могут содержать  секретные данные,
  # поэтому логируем только метаданные связанных с ними запросов
  - level: Metadata
    resources:
      - group: "" # core
        resources: ["secrets", "configmaps"]
      - group: authentication.k8s.io
        resources: ["tokenreviews"]
  # Действия типа get, list и watch могут быть ресурсоёмкими; не логируем их
  - level: Request
    verbs: ["get", "list", "watch"]
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Уровень логирования по умолчанию для стандартных ресурсов API
  - level: RequestResponse
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Уровень логирования по умолчанию для всех остальных запросов
  - level: Metadata

Mumwe muenzaniso wakanaka wekuongorora mutemo ndeye profile inoshandiswa muGCE.

Kukurumidza kupindura kune zviitiko zvekuongorora, zvinogoneka tsanangura webhook. Nyaya iyi yakafukidzwa mukati zvinyorwa zvepamutemo, Ndichazvisiya kunze kwechikamu chechinyorwa chino.

Migumisiro

Chinyorwa chinopa tarisiro yeyakakosha nzira dzekuchengetedza muKubernetes zvikwata, izvo zvinokutendera iwe kuti ugadzire emunhu maakaundi emushandisi, kupatsanura kodzero dzavo, uye kurekodha zviito zvavo. Ndinotarisira kuti zvichave zvinobatsira kune avo vanotarisana nenyaya dzakadaro mudzidziso kana mukuita. Ini zvakare ndinokurudzira kuti uverenge rondedzero yezvimwe zvinhu pamusoro penyaya yekuchengetedza muKubernetes, iyo inopiwa mu "PS" - pamwe pakati pavo iwe uchawana ruzivo rwakakosha pamatambudziko anoenderana newe.

PS

Verenga zvakare pablog yedu:

• «33+ Zvishandiso zveKubernetes Chengetedzo";
• «Nhanganyaya yeKubernetes Network Policies yeChengetedzo Nyanzvi";
• «Kunzwisisa RBAC muKubernetes";
• «9 Yakanakisa Maitiro eKubernetes Chengetedzo";
• «11 Nzira dzeku (Kwete) Kuve Mubatwa weKubernetes Hack".

Source: www.habr.com