Kungekudala okanye kamva, ekusebenzeni kwayo nayiphi na inkqubo, umba wokhuseleko uvela: ukuqinisekisa ukuqinisekiswa, ukuhlukana kwamalungelo, uphicotho-zincwadi kunye neminye imisebenzi. Sele yenzelwe iKubernetes
Uqinisekiso
Kukho iintlobo ezimbini zabasebenzisi eKubernetes:
- Iiakhawunti zeNkonzo - iiakhawunti ezilawulwa yiKubernetes API;
- abasebenzisi — Abasebenzisi “abaqhelekileyo” abalawulwa ziinkonzo zangaphandle, ezizimeleyo.
Umahluko omkhulu phakathi kwezi ntlobo kukuba kwiiAkhawunti zeNkonzo kukho izinto ezikhethekileyo kwi-Kubernetes API (zibizwa ngokuba - ServiceAccounts
), ezibophelelwe kwindawo yegama kunye nesethi yedatha yogunyaziso egcinwe kwiqela kwizinto zohlobo lweeMfihlo. Abasebenzisi abanjalo (iiAkhawunti zeNkonzo) zijoliswe ngokuyinhloko ukulawula amalungelo okufikelela kwi-Kubernetes API yeenkqubo ezisebenza kwi-cluster ye-Kubernetes.
Abasebenzisi abaqhelekileyo abanakho ukungena kwi-Kubernetes API: kufuneka balawulwe ngeendlela zangaphandle. Zenzelwe abantu okanye iinkqubo ezihlala ngaphandle kweqela.
Isicelo ngasinye se-API sinxulumene nokuba yi-Akhawunti yeNkonzo, uMsebenzisi, okanye ithathwa njengengaziwa.
Idatha yoqinisekiso lomsebenzisi ibandakanya:
- lomsebenzisi — igama lomsebenzisi (imeko ebuthathaka!);
- UID - umtya wokuchonga womsebenzisi ofundeka ngomatshini "ohambelana ngakumbi kwaye wahlukile kunegama lomsebenzisi";
- amaqela — uluhlu lwamaqela umsebenzisi angowawo;
- extra - imimandla eyongezelelweyo enokusetyenziswa yindlela yogunyaziso.
I-Kubernetes inokusebenzisa inani elikhulu leendlela zokuqinisekisa: Izatifikethi ze-X509, iithokheni ze-Bearer, i-proxy yokuqinisekisa, i-HTTP Basic Auth. Usebenzisa ezi ndlela, unokuphumeza inani elikhulu lezicwangciso zogunyaziso: ukusuka kwifayile engatshintshiyo enamagama agqithisiweyo ukuya kwiOpenID OAuth2.
Ngaphezu koko, kunokwenzeka ukusebenzisa izikimu zogunyaziso ezininzi ngaxeshanye. Ngokungagqibekanga, iqela lisebenzisa:
- iithokheni zeakhawunti yenkonzo - yeeAkhawunti zeNkonzo;
- X509 - Yabasebenzisi.
Umbuzo malunga nokulawula i-ServiceAccounts ungaphaya kobubanzi beli nqaku, kodwa kwabo bafuna ukuziqhelanisa nalo mbandela ngokubanzi, ndincoma ukuqala nge
Izatifikethi zabasebenzisi (X.509)
Indlela yakudala yokusebenza kunye nezatifikethi ibandakanya:
- ukuveliswa okungundoqo:
mkdir -p ~/mynewuser/.certs/ openssl genrsa -out ~/.certs/mynewuser.key 2048
- ukwenza isicelo sesatifikethi:
openssl req -new -key ~/.certs/mynewuser.key -out ~/.certs/mynewuser.csr -subj "/CN=mynewuser/O=company"
- kusetyenzwa isicelo sesatifikethi usebenzisa i Kubernetes cluster CA izitshixo, ukufumana isatifikethi somsebenzisi (ukufumana isatifikethi, kufuneka usebenzise i-akhawunti enofikelelo kwiqhosha le-CA leqela le-Kubernetes, elibekwe ngokungagqibekanga
/etc/kubernetes/pki/ca.key
):openssl x509 -req -in ~/.certs/mynewuser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ~/.certs/mynewuser.crt -days 500
- yenza ifayile yoqwalaselo:
- Inkcazo yeqela (chaza idilesi kunye nendawo yefayili yesatifikethi se-CA yofakelo oluthile lweqela):
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.100.200:6443
- okanye njani hayiUkhetho olucetyiswayo - awunyanzelekanga ukuba ukhankanye isatifikethi esiyingcambu (emva koko kubectl ayizukukhangela ukuchaneka kwe-api-server yeqela):
kubectl config set-cluster kubernetes --insecure-skip-tls-verify=true --server=https://192.168.100.200:6443
- Ukongeza umsebenzisi kwifayile yoqwalaselo:
kubectl config set-credentials mynewuser --client-certificate=.certs/mynewuser.crt --client-key=.certs/mynewuser.key
- Ukongeza umxholo:
kubectl config set-context mynewuser-context --cluster=kubernetes --namespace=target-namespace --user=mynewuser
- Ulwabiwo lwemeko emiselweyo:
kubectl config use-context mynewuser-context
- Inkcazo yeqela (chaza idilesi kunye nendawo yefayili yesatifikethi se-CA yofakelo oluthile lweqela):
Emva kokusetyenziswa oku ngasentla, kwifayile .kube/config
uqwalaselo olunje luzakwenziwa:
apiVersion: v1
clusters:
- cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://192.168.100.200:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: target-namespace
user: mynewuser
name: mynewuser-context
current-context: mynewuser-context
kind: Config
preferences: {}
users:
- name: mynewuser
user:
client-certificate: /home/mynewuser/.certs/mynewuser.crt
client-key: /home/mynewuser/.certs/mynewuser.key
Ukwenza kube lula ukudlulisa uqwalaselo phakathi kweeakhawunti kunye neeseva, kuluncedo ukuhlela amaxabiso ezi zitshixo zilandelayo:
-
certificate-authority
-
client-certificate
-
client-key
Ukwenza oku, ungafaka ikhowudi kwiifayile ezichazwe kuzo usebenzisa i-base64 kwaye ubhalise kuqwalaselo, ukongeza isimamva kwigama lezitshixo. -data
, okt. ufumene certificate-authority-data
kunye nezinye.
Izatifikethi ezine-beadm
Ngokukhululwa
kubeadm alpha kubeconfig user --client-name=mynewuser --apiserver-advertise-address 192.168.100.200
NB: Kuyafuneka bhengeza idilesi inokufunyanwa kuqwalaselo lwe-api-server, ethi ngokungagqibekanga ibekwe kuyo /etc/kubernetes/manifests/kube-apiserver.yaml
.
Uqwalaselo olunesiphumo luya kuba yimveliso kwistdout. Kufuneka igcinwe ngaphakathi ~/.kube/config
iakhawunti yomsebenzisi okanye kwifayile ekhankanyiweyo kwimeko eguquguqukayo KUBECONFIG
.
Yemba Ngokunzulu
Kwabo bafuna ukuqonda imiba echazwe ngokucokisekileyo:
-
Inqaku elahlukileyo ekusebenzeni kunye nezatifikethi kumaxwebhu asemthethweni e-Kubernetes; -
inqaku elihle elivela kwiBitnami , apho umba wezatifikethi uchukunyiswa kwimbono ephathekayo. -
uxwebhu jikelele kuqinisekiso kwi-Kubernetes.
Ngena
Iakhawunti egunyazisiweyo engagqibekanga ayinamalungelo okusebenza kwiqela. Ukunika iimvume, uKubernetes usebenzisa indlela yogunyaziso.
Ngaphambi koguqulelo 1.6, uKubernetes wasebenzisa uhlobo logunyaziso olubizwa ngokuba ABAC (Ulawulo lofikelelo olusekwe kuphawu). Iinkcukacha malunga nayo inokufumaneka kwi
Indlela yangoku (kunye nebhetyebhetye) yokwahlula amalungelo ofikelelo kwiqela ibizwa RBAC (
Ukwenza i-RBAC isebenze, kufuneka uqalise Kubernetes api-server ngeparameter --authorization-mode=RBAC
. Iparameters zicwangciswe kumboniso ngoqwalaselo lwe api-server, ethi ngokungagqibekanga ibekwe ecaleni kwendlela. /etc/kubernetes/manifests/kube-apiserver.yaml
, kwicandelo command
. Nangona kunjalo, i-RBAC sele yenziwe ngokungagqibekanga, ngoko ke akufanelekanga ukuba uzikhathaze ngayo: ungakuqinisekisa oku ngexabiso. authorization-mode
(kwisele ikhankanyiwe kube-apiserver.yaml
). Ngendlela, phakathi kweentsingiselo zayo kunokubakho ezinye iintlobo zogunyaziso (node
, webhook
, always allow
), kodwa siya kushiya ukuqwalaselwa kwabo ngaphandle kobubanzi bezinto eziphathekayo.
Ngendlela, sele sishicilele
Ezi zintlu zilandelayo ze-API zisetyenziselwa ukulawula ukufikelela kwi-Kubernetes nge-RBAC:
-
Role
иClusterRole
— iindima ezichaza amalungelo ofikelelo: -
Role
ikuvumela ukuba uchaze amalungelo ngaphakathi kwendawo yamagama; -
ClusterRole
- ngaphakathi kweqela, kubandakanywa ukuhlanganisana-izinto ezithile ezifana neendawo, ii-urls ezingezizo izixhobo (okt. ezinganxulumananga nezixhobo zeKubernetes - umzekelo,/version
,/logs
,/api*
); -
RoleBinding
иClusterRoleBinding
- esetyenziselwa ukubophaRole
иClusterRole
kumsebenzisi, iqela lomsebenzisi okanye iServiceAccount.
Indima kunye ne-RoleBinding entities zilinganiselwe nge-namespace, okt. kufuneka ibekwisithuba samagama esinye. Nangona kunjalo, i-RoleBinding inokubhekisa kwi-ClusterRole, ekuvumela ukuba wenze iseti yeemvume eziqhelekileyo kunye nokulawula ukufikelela ngokuzisebenzisa.
Iindima zichaza amalungelo kusetyenziswa iiseti zemithetho equlathe:
- Amaqela e-API - bona
amaxwebhu asemthethweni nge-apiGroups kunye nemvelisokubectl api-resources
; - izixhobo (Zixhobo:
pod
,namespace
,deployment
kwaye nangokunjalo.); - Izenzi (izenzi:
set
,update
kwaye nangokunjalo.). - amagama emithombo (
resourceNames
) - kwimeko xa ufuna ukubonelela ngokufikelela kwisixhobo esithile, kwaye kungekhona kuzo zonke izibonelelo zolu hlobo.
Uhlalutyo oluneenkcukacha ngakumbi logunyaziso kwi-Kubernetes lunokufumaneka kwiphepha
Imizekelo yamaqumrhu e-RBAC
Elula Role
, ekuvumela ukuba ufumane uluhlu kunye nobume beepods kwaye ubeke iliso kwindawo yamagama target-namespace
:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: target-namespace
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
Umzekelo: ClusterRole
, ekuvumela ukuba ufumane uluhlu kunye nobume beepods kwaye uzibeke iliso kulo lonke iqela:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# секции "namespace" нет, так как ClusterRole задействует весь кластер
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
Umzekelo: RoleBinding
, evumela umsebenzisi mynewuser
"funda" iipod kwisithuba samagama my-namespace
:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: target-namespace
subjects:
- kind: User
name: mynewuser # имя пользователя зависимо от регистра!
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role # здесь должно быть “Role” или “ClusterRole”
name: pod-reader # имя Role, что находится в том же namespace,
# или имя ClusterRole, использование которой
# хотим разрешить пользователю
apiGroup: rbac.authorization.k8s.io
Uphicotho lwesiganeko
Ngokucwangcisekileyo, uyilo lweKubernetes lunokumelwa ngolu hlobo lulandelayo:
Icandelo eliphambili le-Kubernetes elinoxanduva lokuqhuba izicelo i-api-server. Yonke imisebenzi kwi-cluster idlula kuyo. Unokufunda ngakumbi malunga nezi ndlela zangaphakathi kwinqaku "
Ukuphicothwa kwenkqubo yinto enomdla kwi-Kubernetes, ekhutshaziweyo ngokungagqibekanga. Ikuvumela ukuba ungene kuzo zonke iifowuni kwi-Kubernetes API. Njengoko unokuthekelela, zonke iintshukumo ezinxulumene nokubeka iliso kunye nokutshintsha imeko yeqela zenziwa ngale API. Inkcazo elungileyo yezakhono zayo (njengesiqhelo) inokufumaneka kwi
Kwaye ke, ukwenza uphicotho zincwadi, kufuneka sigqithise iiparamitha ezintathu ezifunekayo kwisikhongozeli esikwi-api-server, echazwe ngokweenkcukacha ngakumbi ngezantsi:
-
--audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml
-
--audit-log-path=/var/log/kube-audit/audit.log
-
--audit-log-format=json
Ukongeza kwezi parameters ezintathu eziyimfuneko, kukho ezininzi izicwangciso ezongezelelweyo ezinxulumene nophicotho-zincwadi: ukusuka kwi-log rotation ukuya kwiinkcazo ze-webhook. Umzekelo weeparamitha zokujikeleza kwelogi:
-
--audit-log-maxbackup=10
-
--audit-log-maxsize=100
-
--audit-log-maxage=7
Kodwa asiyi kuhlala kuzo ngokweenkcukacha ngakumbi - unokufumana zonke iinkcukacha kuzo
Njengoko sele kukhankanyiwe, zonke iiparameters zisetwe kwi-manifest ngoqwalaselo lwe-api-server (ngokungagqibekanga /etc/kubernetes/manifests/kube-apiserver.yaml
), kwicandelo command
. Masibuyele kwiiparamitha ezi-3 ezifunekayo kwaye sizihlalutye:
-
audit-policy-file
— indlela eya kwifayile yeYAML echaza umgaqo-nkqubo wophicotho. Siza kubuyela kumxholo wayo kamva, kodwa okwangoku ndiza kuqaphela ukuba ifayile kufuneka ifundeke ngenkqubo ye-api-server. Ke ngoko, kuyimfuneko ukuyinyusa ngaphakathi kwesitya, apho unokongeza le khowudi ilandelayo kumacandelo afanelekileyo oqwalaselo:volumeMounts: - mountPath: /etc/kubernetes/policies name: policies readOnly: true volumes: - hostPath: path: /etc/kubernetes/policies type: DirectoryOrCreate name: policies
-
audit-log-path
— indlela eya kwifayile yelog. Umendo kufuneka ufikeleleke kwinkqubo ye-api-server, ke sichaza ukunyuka kwayo ngendlela efanayo:volumeMounts: - mountPath: /var/log/kube-audit name: logs readOnly: false volumes: - hostPath: path: /var/log/kube-audit type: DirectoryOrCreate name: logs
-
audit-log-format
— ifomathi yelog yophicotho. Ukungagqibeki ngujson
, kodwa ifomati yokubhaliweyo yelifa iyafumaneka (legacy
).
Umgaqo-nkqubo woPhicotho-zincwadi
Ngoku malunga nefayile ekhankanyiweyo echaza umgaqo-nkqubo wokuloga. Ingqikelelo yokuqala yomgaqo-nkqubo wophicotho yile level
, inqanaba lokugawula. Zimi ngolu hlobo lulandelayo:
-
None
- musa ukungena; -
Metadata
— Imethadatha yesicelo sokungena: umsebenzisi, ixesha lesicelo, isixhobo ekujoliswe kuso (ipod, indawo yamagama, njl.), uhlobo lwesenzo (isenzi), njl.; -
Request
-log imetadata kunye nomzimba wesicelo; -
RequestResponse
-log imethadatha, umzimba wesicelo kunye nomzimba wokuphendula.
Amanqanaba amabini okugqibela (Request
и RequestResponse
) musa ukuloga izicelo ezingakhange zifikelele kwimithombo (ufikelelo koko kubizwa ngokuba zii-url ezingezoncedo).
Kananjalo zonke izicelo ziyadlula izigaba eziliqela:
-
RequestReceived
- inqanaba xa isicelo sifunyenwe yiprosesa kwaye asikadluliswa ngokubhekele phaya ecaleni kwekhonkco labaqhubekekisi; -
ResponseStarted
— iiheader zempendulo zithunyelwa, kodwa ngaphambi kokuba umzimba wempendulo uthunyelwe. Yenzelwe imibuzo ehlala ixesha elide (umzekelo,watch
); -
ResponseComplete
- umzimba wempendulo uthunyelwe, akukho lwazi lungakumbi luya kuthunyelwa; -
Panic
- iziganeko zenziwa xa imeko engaqhelekanga ifunyenwe.
Ukutsiba nawaphi na amanyathelo onokuwasebenzisa omitStages
.
Kwifayile yomgaqo-nkqubo, sinokuchaza amacandelo amaninzi anemigangatho eyahlukeneyo yokugawulwa kwemithi. Umgaqo wokuqala wongqamaniso ofunyenwe kwinkcazo yomgaqo-nkqubo uya kusetyenziswa.
I-kubelet daemon ihlola utshintsho kwi-manifest ngoqwalaselo lwe-api-server kwaye, ukuba kukho nakuphi na okuchongiweyo, iqala kwakhona isikhongozeli nge-api-server. Kodwa kukho ingcaciso ebalulekileyo: utshintsho kwifayile yenkqubo aziyi kuhoywa yiyo. Emva kokwenza utshintsho kwifayile yepolisi, kuya kufuneka uqalise kwakhona i-api-server ngesandla. Ekubeni i-api-server iqalwe njenge kubectl delete
ayizukuyibangela ukuba iqale kwakhona. Kuya kufuneka uyenze ngesandla docker stop
kwi-kube-masters, apho umgaqo-nkqubo wophicotho utshintshiwe:
docker stop $(docker ps | grep k8s_kube-apiserver | awk '{print $1}')
Xa uvumela uphicotho-zincwadi, kubalulekile ukukhumbula oko umthwalo kwi kube-apiserver uyenyuka. Ngokukodwa, ukusetyenziswa kwememori yokugcina umxholo wesicelo kuyenyuka. Ukuloga kuqala kuphela emva kokuba isihloko sempendulo sithunyelwe. Umthwalo ukwaxhomekeke kubume bomgaqo-nkqubo wophicotho.
Imizekelo yemigaqo-nkqubo
Makhe sijonge ubume beefayile zomgaqo-nkqubo sisebenzisa imizekelo.
Nantsi ifayile elula policy
ukuloga yonke into kwinqanaba Metadata
:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
Kumgaqo-nkqubo ungakhankanya uluhlu lwabasebenzisi (Users
и ServiceAccounts
) kunye namaqela abasebenzisi. Umzekelo, le yindlela esiya kubahoya ngayo abasebenzisi benkqubo, kodwa faka yonke enye into kwinqanaba Request
:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: None
userGroups:
- "system:serviceaccounts"
- "system:nodes"
users:
- "system:anonymous"
- "system:apiserver"
- "system:kube-controller-manager"
- "system:kube-scheduler"
- level: Request
Kukwangenzeka ukuchaza iithagethi:
- izithuba zamagama (
namespaces
); - Izenzi (izenzi:
get
,update
,delete
kunye nabanye); - izixhobo (Zixhobo, oku:
pod
,configmaps
njl.njl) kunye namaqela ovimba (apiGroups
).
Thabatha ingqalelo! Izixhobo kunye namaqela ezixhobo (amaqela e-API, okt apiGroups), kunye neenguqulelo zabo ezifakwe kwiqela, zinokufunyanwa ngokusebenzisa imiyalelo:
kubectl api-resources
kubectl api-versions
Lo mgaqo-nkqubo wophicotho-zincwadi ulandelayo unikiwe njengomboniso weendlela ezizezona zingcono
apiVersion: audit.k8s.io/v1beta1
kind: Policy
# Не логировать стадию RequestReceived
omitStages:
- "RequestReceived"
rules:
# Не логировать события, считающиеся малозначительными и не опасными:
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # это api group с пустым именем, к которому относятся
# базовые ресурсы Kubernetes, называемые “core”
resources: ["endpoints", "services"]
- level: None
users: ["system:unsecured"]
namespaces: ["kube-system"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["configmaps"]
- level: None
users: ["kubelet"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
userGroups: ["system:nodes"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["nodes"]
- level: None
users:
- system:kube-controller-manager
- system:kube-scheduler
- system:serviceaccount:kube-system:endpoint-controller
verbs: ["get", "update"]
namespaces: ["kube-system"]
resources:
- group: "" # core
resources: ["endpoints"]
- level: None
users: ["system:apiserver"]
verbs: ["get"]
resources:
- group: "" # core
resources: ["namespaces"]
# Не логировать обращения к read-only URLs:
- level: None
nonResourceURLs:
- /healthz*
- /version
- /swagger*
# Не логировать сообщения, относящиеся к типу ресурсов “события”:
- level: None
resources:
- group: "" # core
resources: ["events"]
# Ресурсы типа Secret, ConfigMap и TokenReview могут содержать секретные данные,
# поэтому логируем только метаданные связанных с ними запросов
- level: Metadata
resources:
- group: "" # core
resources: ["secrets", "configmaps"]
- group: authentication.k8s.io
resources: ["tokenreviews"]
# Действия типа get, list и watch могут быть ресурсоёмкими; не логируем их
- level: Request
verbs: ["get", "list", "watch"]
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# Уровень логирования по умолчанию для стандартных ресурсов API
- level: RequestResponse
resources:
- group: "" # core
- group: "admissionregistration.k8s.io"
- group: "apps"
- group: "authentication.k8s.io"
- group: "authorization.k8s.io"
- group: "autoscaling"
- group: "batch"
- group: "certificates.k8s.io"
- group: "extensions"
- group: "networking.k8s.io"
- group: "policy"
- group: "rbac.authorization.k8s.io"
- group: "settings.k8s.io"
- group: "storage.k8s.io"
# Уровень логирования по умолчанию для всех остальных запросов
- level: Metadata
Omnye umzekelo omhle womgaqo-nkqubo wophicotho
Ukuphendula ngokukhawuleza kwiziganeko zophicotho-zincwadi, kunokwenzeka chaza i-webhook. Lo mbandela ubandakanywa kuyo
Iziphumo
Eli nqaku libonelela ngesishwankathelo seendlela zokhuseleko ezisisiseko kumaqela e-Kubernetes, akuvumela ukuba wenze ii-akhawunti zomsebenzisi ezizezakho, wahlule amalungelo abo, kwaye urekhode izenzo zabo. Ndiyathemba ukuba kuya kuba luncedo kwabo bajongene nemiba enjalo kwithiyori okanye ekusebenzeni. Ndikwacebisa ukuba ufunde uluhlu lwezinye izinto kwisihloko sokhuseleko kwi-Kubernetes, enikwe kwi-"PS" - mhlawumbi phakathi kwabo uya kufumana iinkcukacha eziyimfuneko kwiingxaki ezichaphazelekayo kuwe.
PS
Funda nakwibhlog yethu:
- «
33+ Kubernetes izixhobo zokhuseleko "; - «
Intshayelelo ye-Kubernetes Network Policies kuBasebenzi boKhuseleko "; - «
Ukuqonda i-RBAC eKubernetes "; - «
Iindlela ezi-9 ezilungileyo zoKhuseleko lweKubernetes "; - «
Iindlela ezili-11 zoku (Hayi) ukuba lixhoba le-Kubernetes Hack ».
umthombo: www.habr.com