ABC ee Amniga Kubernetes: Xaqiijinta, Oggolaanshaha, Hantidhawrka

Si degdeg ah ama hadhow, nidaamka kasta oo uu shaqeeyo, arrinta amniga ayaa soo ifbaxa: hubinta xaqiijinta, kala-soocidda xuquuqda, xisaabinta iyo hawlo kale. Horaa loo sameeyay Kubernetes xalal badan, kaas oo kuu ogolaanaya inaad ku guulaysato u hoggaansanaanta heerarka xitaa jawiga aadka u baahan Ugu horreyntii, waxay faa'iido u yeelan doontaa kuwa bilaabaya inay bartaan Kubernetes - oo ah barta bilawga ah ee barashada arrimaha la xiriira amniga.

Xaqiijinta

Waxaa jira laba nooc oo isticmaalayaasha Kubernetes:

• Xisaabaadka Adeegga - xisaabaadka ay maamusho Kubernetes API;
• Users - Isticmaalayaasha "caadiga ah" ee ay maamulaan dibadda, adeegyo madaxbannaan.

Farqiga ugu weyn ee u dhexeeya noocyadan ayaa ah in xisaabaadka Adeegga ay ku jiraan walxo gaar ah Kubernetes API (waxaa loo yaqaannaa - ServiceAccounts), kuwaas oo ku xidhan meel magaceed iyo xog oggolaansho ah oo lagu kaydiyay kooxda oo ah walxaha sirta ah. Isticmaalayaasha noocaan ah (Akoonka Adeegga) ayaa ugu horayn loogu talagalay in lagu maareeyo xuquuqaha gelitaanka API Kubernetes ee hababka ka socda kooxda Kubernetes.

Isticmaalayaasha caadiga ah kuma laha gelinta Kubernetes API: waa in lagu maamulaa habab dibadda ah. Waxaa loogu talagalay dadka ama hababka ku nool meel ka baxsan kooxda.

Codsi kasta oo API ah waxa uu la xidhiidha Koontada Adeegga, Isticmaalaha, ama waxa loo arkaa qarsoodi.

Xogta aqoonsiga isticmaalaha waxaa ka mid ah:

• username - username (kiis xasaasi ah!);
• UID - xadhig aqoonsiga isticmaale-mashiin-akhrisan kara oo "ka sii joogto ah oo ka gaar ah magaca isticmaalaha";
• Kooxaha - liiska kooxaha uu isticmaaluhu ka tirsan yahay;
• dheeraad ah - meelo dheeraad ah oo loo isticmaali karo habka oggolaanshaha.

Kubernetes waxay isticmaali kartaa tiro badan oo habab xaqiijin ah: Shahaadooyinka X509, Calaamadaha Qaadaha, wakiil xaqiijinta, HTTP Basic Auth. Isticmaalka hababkan, waxaad hirgelin kartaa tiro badan oo qorshayaal oggolaansho ah: laga bilaabo faylka taagan ee furaha sirta ah ilaa OpenID OAuth2.

Waxaa intaa dheer, waxaa suurtagal ah in la isticmaalo dhowr qorshe oo oggolaansho isku mar ah. Sida caadiga ah, kooxdu waxay isticmaashaa:

• Calaamadaha xisaabaadka adeegga - ee Xisaabaadka Adeegga;
• X509 - loogu talagalay Isticmaalayaasha.

Su'aasha ku saabsan maaraynta ServiceAccounts way ka baxsan tahay xadka maqaalkan, laakiin kuwa doonaya inay si faahfaahsan u bartaan arrintan, waxaan ku talinayaa in la bilaabo boggaga dukumeentiyada rasmiga ah. Waxaan si dhow u eegi doonaa arrinta ku saabsan sida shahaadooyinka X509 u shaqeeyaan.

Shahaadooyinka isticmaalayaasha (X.509)

Habka caadiga ah ee loogu shaqeeyo shahaadooyinka waxaa ku jira:

• Jiilka muhiimka ah:

  mkdir -p ~/mynewuser/.certs/
  openssl genrsa -out ~/.certs/mynewuser.key 2048

• abuurista codsi shahaado:

  openssl req -new -key ~/.certs/mynewuser.key -out ~/.certs/mynewuser.csr -subj "/CN=mynewuser/O=company"

• ka baaraandegidda codsiga shahaadada iyadoo la adeegsanayo furayaasha kooxda Kubernetes CA, helitaanka shahaadada isticmaale (si aad u hesho shahaado, waa inaad isticmaashaa koontada marin u leh furaha Kubernetes cluster CA, kaas oo asal ahaan ku yaal /etc/kubernetes/pki/ca.key):

  openssl x509 -req -in ~/.certs/mynewuser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ~/.certs/mynewuser.crt -days 500

• abuurista faylka qaabeynta:
  • Sharaxaad kooxeed (sheeg ciwaanka iyo goobta galka shahaadadda CA ee rakibida kooxa gaar ah):

    kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.100.200:6443

  • ama sidee maikhtiyaarka lagu taliyay - uma baahnid inaad sheegto shahaadada xididka (markaa kubectl ma hubin doono saxnaanta api-server-ka kooxda):

    kubectl config set-cluster kubernetes  --insecure-skip-tls-verify=true --server=https://192.168.100.200:6443

  • ku darida isticmaalaha faylka qaabeynta:

    kubectl config set-credentials mynewuser --client-certificate=.certs/mynewuser.crt  --client-key=.certs/mynewuser.key

  • ku darida macnaha guud:

    kubectl config set-context mynewuser-context --cluster=kubernetes --namespace=target-namespace --user=mynewuser

  • meelaynta macnaha guud:

    kubectl config use-context mynewuser-context

Ka dib wax-is-daba-marinta kor ku xusan, gudaha faylka .kube/config Habayn sidan oo kale ah ayaa la samayn doonaa:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/pki/ca.crt
    server: https://192.168.100.200:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: target-namespace
    user: mynewuser
  name: mynewuser-context
current-context: mynewuser-context
kind: Config
preferences: {}
users:
- name: mynewuser
  user:
    client-certificate: /home/mynewuser/.certs/mynewuser.crt
    client-key: /home/mynewuser/.certs/mynewuser.key

Si loo fududeeyo wareejinta isku xirka xisaabaadka iyo server-yada, waxaa faa'iido leh in la tafatiro qiyamka furayaasha soo socda:

• certificate-authority
• client-certificate
• client-key

Si tan loo sameeyo, waxaad ku dhejin kartaa faylasha lagu cayimay iyaga adoo isticmaalaya base64 oo ku diiwaan geli config, adoo ku daraya lifaaqa magaca furayaasha -data, i.e. isagoo helay certificate-authority-data iyo wixii la mid ah.

Shahaadooyin leh kubeadm

Iyadoo la sii daayay Kubernetes 1.15 la shaqaynta shahaadooyinka ayaa noqotay mid aad u fudud iyada oo ay ugu wacan tahay nooca alfa ee taageeradeeda kubeadm utility. Tusaale ahaan, tani waa waxa soo saarida faylka qaabeynta ee leh furayaasha isticmaalaha hadda u ekaan karo:

kubeadm alpha kubeconfig user --client-name=mynewuser --apiserver-advertise-address 192.168.100.200

NB: loo baahan yahay ciwaanka xayaysii waxaa laga heli karaa api-server config, kaas oo sida caadiga ah ku yaal /etc/kubernetes/manifests/kube-apiserver.yaml.

Qaabaynta natiijada ayaa loo soo saari doonaa stdout. Waxay u baahan tahay in lagu badbaadiyo ~/.kube/config akoonka isticmaalaha ama fayl ku qeexan doorsoomaha deegaanka KUBECONFIG.

Qoto dheer

Kuwa doonaya inay fahmaan arrimaha si qoto dheer loo sharraxay:

• maqaal gaar ah la shaqeynta shahaadooyinka dukumeentiga rasmiga ah ee Kubernetes;
• article wanaagsan ka Bitnami, kaas oo arrinta shahaadooyinka laga taabanayo dhinaca wax ku oolka ah.
• dukumeenti guud ku saabsan aqoonsiga Kubernetes.

Oggolaanshaha

Koontada la oggolaaday ee caadiga ah ma laha xuquuq ay ku shaqeyso kooxda. Si loo bixiyo oggolaanshaha, Kubernetes waxay fulisaa habka oggolaanshaha.

Kahor nooca 1.6, Kubernetes waxay adeegsatay nooc oggolaansho oo la yiraahdo ABAC ( xakamaynta gelitaanka sifada ku salaysan). Faahfaahinta waxa laga heli karaa dukumeenti rasmi ah. Habkan hadda waxaa loo tixgeliyaa dhaxal, laakiin waxaad weli u isticmaali kartaa noocyada kale ee aqoonsiga.

Habka hadda (iyo rogrogmi kara) ee loo qaybiyo xuquuqaha gelitaanka kooxdu waxa la yidhaahdaa RBAC (Xakamaynta gelitaanka doorka ku salaysan). Waxaa lagu dhawaaqay inay xasilloon tahay tan iyo nuqulkii Kubernetes 1.8. RBAC waxay fulisaa qaabka xuquuqaha kaas oo wax kasta oo aan si cad loo ogolayn laga mamnuucay.
Si aad awood ugu siiso RBAC, waxaad u baahan tahay inaad kubernetes api-server ku bilawdo cabirka --authorization-mode=RBAC. Halbeegyada waxa lagu dejiyay muujinta leh habaynta api-server, kaas oo sida caadiga ah ku yaal jidka agtiisa /etc/kubernetes/manifests/kube-apiserver.yaml, qaybta command. Si kastaba ha noqotee, RBAC mar horeba si toos ah ayaa loo dajiyay, markaa waxay u badan tahay inaadan ka welwelin: tan waxaad ku xaqiijin kartaa qiimaha authorization-mode (ee hore loo sheegay kube-apiserver.yaml). Dhanka kale, macnaheeda ka mid ah waxaa jiri kara noocyo kale oo oggolaansho ah (node, webhook, always allow), laakiin waxaan uga tagi doonaa tixgelintooda meel ka baxsan baaxadda walxaha.

By habka, waxaan horay u daabacnay maqaal iyadoo si faahfaahsan loo sharraxay mabaadi'da iyo astaamaha la shaqeynta RBAC, si dheeraad ah waxaan naftayda ugu koobayaa liis kooban oo aasaaska iyo tusaalooyin ah.

Hay'adaha API ee soo socda ayaa loo isticmaalaa in lagu xakameeyo gelitaanka Kubernetes iyada oo loo marayo RBAC:

• Role и ClusterRole - doorarka u adeega si ay u qeexaan xuquuqaha gelitaanka:
• Role waxay kuu ogolaanaysaa inaad ku qeexdo xuquuqaha gudaha magaca;
• ClusterRole - Kutlada dhexdeeda, oo ay ku jiraan walxaha gaarka ah sida qanjidhada, URL-yada aan kheyraadka ahayn (ie, aan la xiriirin ilaha Kubernetes - tusaale ahaan, /version, /logs, /api*);
• RoleBinding и ClusterRoleBinding - loo isticmaalo in lagu xidho Role и ClusterRole isticmaalaha, kooxda isticmaalaha ama ServiceAccount.

Doorka iyo hay'adaha RoleBinding waxay ku xaddidan yihiin meelaynta magaca, i.e. waa in ay ku dhex jiraan meel isku mid ah. Si kastaba ha ahaatee, RoleBinding waxay tixraaci kartaa ClusterRole, kaas oo kuu ogolaanaya inaad abuurto rukhsad guud oo aad maamusho isticmaalka iyaga.

Doorarku waxay qeexayaan xuquuqaha iyagoo isticmaalaya xeerar ka kooban:

• Kooxaha API - eeg dukumeenti rasmi ah by apiGroups iyo wax soo saarka kubectl api-resources;
• kheyraadka (Khayraadka: pod, namespace, deployment iyo wixii la mid ah.);
• Falal (ficil: set, update iyo wixi la mida.).
• Magacyada kheyraadka (resourceNames) - kiiska marka aad u baahan tahay inaad bixiso marin u helka kheyraad gaar ah, oo aan la siin dhammaan agabyada noocaan ah.

Falanqaynta faahfaahsan ee oggolaanshaha Kubernetes ayaa laga heli karaa bogga dukumeenti rasmi ah. Halkii (ama halkii, marka lagu daro tan), waxaan ku siin doonaa tusaalayaal muujinaya shaqadeeda.

Tusaalooyinka hay'adaha RBAC

Fudud Role, kaas oo kuu ogolaanaya inaad hesho liiska iyo heerka pods oo aad la socoto iyaga in magaca target-namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: target-namespace
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

Tusaale: ClusterRole, kaas oo kuu ogolaanaya inaad hesho liis iyo heerka ay ku yaalaan boodhadhka oo aad la socoto kutlada oo dhan:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # секции "namespace" нет, так как ClusterRole задействует весь кластер
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

Tusaale: RoleBinding, kaas oo u ogolaanaya isticmaalaha mynewuser "akhri" galalka magaca my-namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: target-namespace
subjects:
- kind: User
  name: mynewuser # имя пользователя зависимо от регистра!
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role # здесь должно быть “Role” или “ClusterRole”
  name: pod-reader # имя Role, что находится в том же namespace,
                   # или имя ClusterRole, использование которой
                   # хотим разрешить пользователю
  apiGroup: rbac.authorization.k8s.io

Hantidhawrka dhacdada

Nidaam ahaan, qaab dhismeedka Kubernetes waxaa lagu matali karaa sida soo socota:

Qaybta muhiimka ah ee Kubernetes ee ka masuulka ah socodsiinta codsiyada waa api-server. Dhammaan hawlgallada kooxdu way maraan. Waxaad wax badan oo ku saabsan hababkan gudaha ka akhrisan kartaa maqaalka "Maxaa ka dhacaya Kubernetes marka aad ordo kubectl run?".

Hantidhawrka nidaamku waa muuqaal xiiso leh gudaha Kubernetes, kaas oo si caadi ah u naafo ah. Waxay kuu ogolaanaysaa inaad gasho dhammaan wicitaannada Kubernetes API. Sida aad qiyaasi karto, dhammaan falalka la xidhiidha la socodka iyo beddelka xaaladda kooxda waxa lagu sameeyaa API-gan. Sharaxaad wanaagsan oo ku saabsan awoodaheeda ayaa laga heli karaa (sida caadiga ah). dukumeenti rasmi ah K8s Marka xigta, waxaan isku dayi doonaa inaan mowduuca ku soo bandhigo luqad fudud.

Sidaas si loo suurtageliyo hanti-dhawrka, waxaan u baahanahay in aan u gudubno saddex cabbir oo loo baahan yahay weelka ku jira api-server, kuwaas oo si faahfaahsan hoos loogu qeexay:

• --audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml
• --audit-log-path=/var/log/kube-audit/audit.log
• --audit-log-format=json

Marka lagu daro saddexdan cabbir ee lagama maarmaanka ah, waxaa jira goobo badan oo dheeraad ah oo la xiriira xisaabinta: laga bilaabo wareegtada log ilaa sharaxaadda webhook. Tusaalaha cabbiraadaha wareegtada log:

• --audit-log-maxbackup=10
• --audit-log-maxsize=100
• --audit-log-maxage=7

Laakiin si faahfaahsan uga hadli mayno iyaga - waxaad ka heli kartaa dhammaan faahfaahinta gudaha dukumentiyada kube-apiserver.

Sidii aan horeyba u soo sheegnay, dhammaan xuduudaha ayaa lagu dejiyay muujinta leh qaabeynta api-server (sida caadiga ah /etc/kubernetes/manifests/kube-apiserver.yaml), qaybta command. Aan ku soo laabano 3-dabeeg ee loo baahnaa oo aan falanqeynno:

1. audit-policy-file - dariiqa loo maro faylka YAML ee qeexaya siyaasadda hantidhawrka. Waxaan dib ugu soo laaban doonaa waxa ku jira, laakiin hadda waxaan ogaan doonaa in faylka ay tahay in la akhriyo habka api-server. Sidaa darteed, waa lagama maarmaan in lagu dhejiyo gudaha weelka, kaas oo aad ku dari karto koodhka soo socda qaybaha ku habboon ee qaabeynta:

     volumeMounts:
       - mountPath: /etc/kubernetes/policies
         name: policies
         readOnly: true
     volumes:
     - hostPath:
         path: /etc/kubernetes/policies
         type: DirectoryOrCreate
       name: policies

2. audit-log-path - jidka loo maro faylka log. Waddadu waa inay sidoo kale ahaataa mid la geli karo habka api-server, markaa waxaanu ku sifeyneynaa si la mid ah:

     volumeMounts:
       - mountPath: /var/log/kube-audit
         name: logs
         readOnly: false
     volumes:
     - hostPath:
         path: /var/log/kube-audit
         type: DirectoryOrCreate
       name: logs

3. audit-log-format - qaabka xisaab hubinta. Dabeecaddu waa json, laakiin qaabka qoraalka dhaxalka ah sidoo kale waa la heli karaa (legacy).

Siyaasadda Hanti-dhawrka

Hadda oo ku saabsan faylka la sheegay ee qeexaya siyaasadda gaynta. Fikradda koowaad ee siyaasadda hanti-dhawrku waa level, heerka goynta. Waxayna kala yihiin sidan.

• None - ha gelin;
• Metadata - Log request metadata: isticmaalaha, codsiga wakhtiga, khayraadka bartilmaameedka (pod, magaca meel, iwm), nooca ficil (fal), iwm;
• Request - gal xogta badan iyo codsiga jidhka;
• RequestResponse - gal xogta badan, codsiga jidhka iyo jawaabta jidhka.

Labada heer ee ugu dambeeya (Request и RequestResponse) ha qorin codsiyada aan marin ilaha (helitaanka waxa loogu yeero urls-ka aan kheyraadka ahayn).

Sidoo kale dhammaan codsiyada waa la maraa dhowr marxaladood:

• RequestReceived - marxaladda marka codsiga uu helo processor-ku oo aan weli lagu sii gudbin silsiladda processor-yada;
• ResponseStarted - madaxa jawaabaha ayaa la soo diraa, laakiin ka hor inta aan la dirin jidhka jawaabta. Loo sameeyay su'aalaha muddada dheer socda (tusaale ahaan, watch);
• ResponseComplete - Hay'adda jawaabta waa la diray, macluumaad dheeraad ah lama diri doono;
• Panic - dhacdooyinka waxay abuurmaan marka xaalad aan caadi ahayn la ogaado.

Si aad uga gudubto tallaabo kasta oo aad isticmaali karto omitStages.

Faylka siyaasadda, waxaan ku qeexi karnaa dhowr qaybood oo leh heerar shaqo oo kala duwan. Xeerka u horeeya ee u dhigma ee laga helay sharaxaadda siyaasadda ayaa lagu dabaqi doonaa.

Kubelet daemon wuxuu la socdaa isbeddelada ku yimaadda muujinta qaabeynta api-server-ka oo, haddii mid la ogaado, wuxuu dib ugu bilaabaa weelka isagoo wata api-server. Laakiin waxaa jira faahfaahin muhiim ah: isbedelada faylka siyaasadda waa la iska indhatiraa iyada. Ka dib markaad isbeddel ku samayso faylka siyaasadda, waxaad u baahan doontaa inaad dib u bilowdo api-serverka gacanta. Maadaama api-server loo bilaabay sidii baal taagan, kooxda kubectl delete ma keeni doonto inay dib u bilowdo. Waa inaad gacanta ku samaysaa docker stop Kube-masters, halkaas oo siyaasadda hanti dhawrka la bedelay:

docker stop $(docker ps | grep k8s_kube-apiserver | awk '{print $1}')

Markaad awood u siinayso hantidhawrka, waa muhiim in la xasuusto taas culayska saaran kube-apiserver wuu kordhaa. Gaar ahaan, isticmaalka xusuusta ee kaydinta macnaha guud ayaa kordha. Gelintu waxay bilaabataa kaliya marka madaxa jawaabta la diro. Culaysku wuxuu kaloo ku xidhan yahay habaynta siyaasadda hanti dhawrka.

Tusaalooyinka siyaasadaha

Aynu eegno qaab-dhismeedka faylalka siyaasadda annagoo tusaalayaal adeegsanayna.

Halkan waa fayl fudud policysi aad wax walba ugu qorto heerka Metadata:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata

Siyaasada waxaad ku qeexi kartaa liiska isticmaalayaasha (Users и ServiceAccounts) iyo kooxaha isticmaala. Tusaale ahaan, tani waa sida aan iska indha tirayno isticmaalayaasha nidaamka, laakiin gal wax kasta oo kale heerka Request:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  - level: None
    userGroups:
      - "system:serviceaccounts"
      - "system:nodes"
    users:
      - "system:anonymous"
      - "system:apiserver"
      - "system:kube-controller-manager"
      - "system:kube-scheduler"
  - level: Request

Waxa kale oo suurtagal ah in la qeexo bartilmaameedyada:

• meelaha magacnamespaces);
• Falal (ficil: get, update, delete iyo kuwo kale);
• kheyraadka (Khayraadka, kuwaas oo: pod, configmaps iwm) iyo kooxaha kheyraadka (apiGroups).

Feejignow! Khayraadka iyo kooxaha kheyraadka (kooxaha API, i.e. apiGroups), iyo sidoo kale noocyadooda lagu rakibay kutlada, waxaa lagu heli karaa iyadoo la adeegsanayo amarada:

kubectl api-resources
kubectl api-versions

Siyaasadda hanti-dhawrka ee soo socota ayaa la bixiyaa si ay u muujiso hababka ugu wanaagsan Dukumentiyada Alibaba Cloud:

apiVersion: audit.k8s.io/v1beta1
kind: Policy
# Не логировать стадию RequestReceived
omitStages:
  - "RequestReceived"
rules:
  # Не логировать события, считающиеся малозначительными и не опасными:
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
      - group: "" # это api group с пустым именем, к которому относятся
                  # базовые ресурсы Kubernetes, называемые “core”
        resources: ["endpoints", "services"]
  - level: None
    users: ["system:unsecured"]
    namespaces: ["kube-system"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["configmaps"]
  - level: None
    users: ["kubelet"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    userGroups: ["system:nodes"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    users:
      - system:kube-controller-manager
      - system:kube-scheduler
      - system:serviceaccount:kube-system:endpoint-controller
    verbs: ["get", "update"]
    namespaces: ["kube-system"]
    resources:
      - group: "" # core
        resources: ["endpoints"]
  - level: None
    users: ["system:apiserver"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["namespaces"]
  # Не логировать обращения к read-only URLs:
  - level: None
    nonResourceURLs:
      - /healthz*
      - /version
      - /swagger*
  # Не логировать сообщения, относящиеся к типу ресурсов “события”:
  - level: None
    resources:
      - group: "" # core
        resources: ["events"]
  # Ресурсы типа Secret, ConfigMap и TokenReview могут содержать  секретные данные,
  # поэтому логируем только метаданные связанных с ними запросов
  - level: Metadata
    resources:
      - group: "" # core
        resources: ["secrets", "configmaps"]
      - group: authentication.k8s.io
        resources: ["tokenreviews"]
  # Действия типа get, list и watch могут быть ресурсоёмкими; не логируем их
  - level: Request
    verbs: ["get", "list", "watch"]
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Уровень логирования по умолчанию для стандартных ресурсов API
  - level: RequestResponse
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Уровень логирования по умолчанию для всех остальных запросов
  - level: Metadata

Tusaalaha kale ee wanaagsan ee siyaasadda hantidhawrku waa profile loo isticmaalo GCE.

Si degdeg ah looga jawaabo dhacdooyinka hantidhawrka, waa suurtogal sharax webhook. Arintan ayaa lagu soo koobay dukumeenti rasmi ah, Waxaan kaga baxayaa meel ka baxsan baaxadda maqaalkan.

Natiijooyinka

Maqaalku wuxuu bixiyaa dulmar guud oo ku saabsan hababka amniga aasaasiga ah ee Kubernetes clusters, kaas oo kuu ogolaanaya inaad abuurto xisaabaadka isticmaalaha shakhsi ahaaneed, kala saar xuquuqdooda, oo aad duubto falalkooda. Waxaan rajeynayaa inay waxtar u yeelan doonto kuwa ay la kulmaan arrimahan oo kale aragti ahaan ama ficil ahaan. Waxaan sidoo kale kugula talinayaa inaad akhrido liiska agabyada kale ee mawduuca amniga ee Kubernetes, kaas oo lagu bixiyo "PS" - laga yaabee in iyaga ka mid ah aad ka heli doonto faahfaahinta lagama maarmaanka ah ee dhibaatooyinka adiga kugu habboon.

PS

Sidoo kale ka akhri boggayaga:

• «33+ Kubernetes aaladaha amniga";
• «Hordhac Xeerarka Shabakadda Kubernetes ee Xirfadlayaasha Amniga";
• «Fahamka RBAC gudaha Kubernetes";
• «9 Hababka ugu Fiican ee Amniga Kubernetes";
• «11 Siyaabaha (Ma aha) Loogu Noqon karo Dhibbanaha Hack Kubernetes".

Source: www.habr.com