ABC ti Aabo ni Kubernetes: Ijeri, Aṣẹ, Iṣayẹwo

Laipẹ tabi nigbamii, ni iṣẹ ti eyikeyi eto, ọrọ aabo dide: aridaju ijẹrisi, ipinya awọn ẹtọ, iṣatunṣe ati awọn iṣẹ-ṣiṣe miiran. Ti ṣẹda tẹlẹ fun Kubernetes ọpọlọpọ awọn solusan, eyi ti o gba ọ laaye lati ṣaṣeyọri ibamu pẹlu awọn iṣedede paapaa ni awọn agbegbe ti o nbeere pupọ ... Ohun elo kanna jẹ iyasọtọ si awọn ẹya ipilẹ ti aabo ti a ṣe laarin awọn ilana ti a ṣe sinu awọn K8s. Ni akọkọ, yoo wulo fun awọn ti o bẹrẹ lati ni ibatan pẹlu Kubernetes - bi ibẹrẹ fun kikọ ẹkọ awọn ọran ti o ni ibatan si aabo.

Ijeri

Awọn oriṣi awọn olumulo meji lo wa ni Kubernetes:

• Awọn iroyin iṣẹ - awọn akọọlẹ ti iṣakoso nipasẹ Kubernetes API;
• awọn olumulo - awọn olumulo “deede” ti iṣakoso nipasẹ ita, awọn iṣẹ ominira.

Iyatọ akọkọ laarin awọn iru wọnyi ni pe fun Awọn akọọlẹ Iṣẹ awọn nkan pataki wa ninu Kubernetes API (wọn pe wọn pe - ServiceAccounts), eyiti a so mọ aaye orukọ ati ṣeto data aṣẹ ti a fipamọ sinu iṣupọ ni awọn nkan ti iru Awọn Aṣiri. Iru awọn olumulo (Awọn iroyin Iṣẹ) jẹ ipinnu akọkọ lati ṣakoso awọn ẹtọ wiwọle si Kubernetes API ti awọn ilana ti nṣiṣẹ ni iṣupọ Kubernetes.

Awọn olumulo deede ko ni awọn titẹ sii ni Kubernetes API: wọn gbọdọ ṣakoso nipasẹ awọn ilana ita. Wọn ti pinnu fun eniyan tabi awọn ilana ti ngbe ni ita iṣupọ.

Ibeere API kọọkan ni nkan ṣe pẹlu boya Akọọlẹ Iṣẹ kan, Olumulo kan, tabi ti a ka ni ailorukọ.

Data ìfàṣẹsí olumulo pẹlu:

• olumulo - orukọ olumulo (iṣoro ọran!);
• UID - okun idanimọ olumulo ti o ṣee ṣe kika ẹrọ ti o jẹ “diẹ deede ati alailẹgbẹ ju orukọ olumulo lọ”;
• Awọn ẹgbẹ - atokọ ti awọn ẹgbẹ eyiti olumulo jẹ;
• afikun - awọn aaye afikun ti o le ṣee lo nipasẹ ẹrọ aṣẹ.

Kubernetes le lo nọmba nla ti awọn ọna ṣiṣe ijẹrisi: Awọn iwe-ẹri X509, Awọn ami oniduro, aṣoju ijẹrisi, HTTP Ipilẹ Ipilẹṣẹ. Lilo awọn ọna ṣiṣe wọnyi, o le ṣe imuse nọmba nla ti awọn ero aṣẹ: lati faili aimi pẹlu awọn ọrọ igbaniwọle si OpenID OAuth2.

Pẹlupẹlu, o ṣee ṣe lati lo ọpọlọpọ awọn ero igbanilaaye ni akoko kanna. Nipa aiyipada, iṣupọ naa nlo:

• awọn ami akọọlẹ iṣẹ - fun Awọn iroyin Iṣẹ;
• X509 - fun awọn olumulo.

Ibeere nipa ṣiṣakoso awọn iroyin Service ko kọja ipari ti nkan yii, ṣugbọn fun awọn ti o fẹ lati mọ ara wọn pẹlu ọran yii ni awọn alaye diẹ sii, Mo ṣeduro bẹrẹ pẹlu osise iwe iwe. A yoo ṣe akiyesi diẹ si ọran ti bii awọn iwe-ẹri X509 ṣe n ṣiṣẹ.

Awọn iwe-ẹri fun awọn olumulo (X.509)

Ọna Ayebaye ti ṣiṣẹ pẹlu awọn iwe-ẹri pẹlu:

• iran bọtini:

  mkdir -p ~/mynewuser/.certs/
  openssl genrsa -out ~/.certs/mynewuser.key 2048

• ṣiṣẹda ibeere ijẹrisi:

  openssl req -new -key ~/.certs/mynewuser.key -out ~/.certs/mynewuser.csr -subj "/CN=mynewuser/O=company"

• ṣiṣe ibeere ijẹrisi kan nipa lilo awọn bọtini iṣupọ Kubernetes CA, gbigba ijẹrisi olumulo kan (lati gba ijẹrisi kan, o gbọdọ lo akọọlẹ kan ti o ni iraye si bọtini iṣupọ Kubernetes CA, eyiti o wa nipasẹ aiyipada ni /etc/kubernetes/pki/ca.key):

  openssl x509 -req -in ~/.certs/mynewuser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ~/.certs/mynewuser.crt -days 500

• ṣiṣẹda faili iṣeto:
  • Apejuwe iṣupọ (pato adirẹsi ati ipo ti faili ijẹrisi CA fun fifi sori iṣupọ kan pato):

    kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.100.200:6443

  • tabi bawo ni kii ṣeAṣayan iṣeduro - o ko ni lati pato ijẹrisi root (lẹhinna kubectl kii yoo ṣayẹwo deede ti olupin api-cluster):

    kubectl config set-cluster kubernetes  --insecure-skip-tls-verify=true --server=https://192.168.100.200:6443

  • fifi olumulo kan kun si faili iṣeto:

    kubectl config set-credentials mynewuser --client-certificate=.certs/mynewuser.crt  --client-key=.certs/mynewuser.key

  • fifi ọrọ kun:

    kubectl config set-context mynewuser-context --cluster=kubernetes --namespace=target-namespace --user=mynewuser

  • iṣẹ iyansilẹ ọrọ aiyipada:

    kubectl config use-context mynewuser-context

Lẹhin awọn ifọwọyi ti o wa loke, ninu faili naa .kube/config atunto bii eyi yoo ṣẹda:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/pki/ca.crt
    server: https://192.168.100.200:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: target-namespace
    user: mynewuser
  name: mynewuser-context
current-context: mynewuser-context
kind: Config
preferences: {}
users:
- name: mynewuser
  user:
    client-certificate: /home/mynewuser/.certs/mynewuser.crt
    client-key: /home/mynewuser/.certs/mynewuser.key

Lati jẹ ki o rọrun lati gbe atunto laarin awọn akọọlẹ ati awọn olupin, o wulo lati ṣatunkọ awọn iye ti awọn bọtini atẹle:

• certificate-authority
• client-certificate
• client-key

Lati ṣe eyi, o le ṣe koodu awọn faili ti o pato ninu wọn nipa lilo base64 ati forukọsilẹ wọn ni atunto, fifi suffix si orukọ awọn bọtini. -data, i.e. ti gba certificate-authority-data ati irufẹ.

Awọn iwe-ẹri pẹlu kubeadm

Pẹlu itusilẹ Kubernetes 1.15 ṣiṣẹ pẹlu awọn iwe-ẹri ti di pupọ rọrun ọpẹ si ẹya alpha ti atilẹyin rẹ ni kubeadm IwUlO. Fun apẹẹrẹ, eyi ni ohun ti n ṣe ipilẹṣẹ faili iṣeto ni pẹlu awọn bọtini olumulo le dabi bayi:

kubeadm alpha kubeconfig user --client-name=mynewuser --apiserver-advertise-address 192.168.100.200

NB: beere polowo adirẹsi O le rii ni atunto olupin api, eyiti o wa nipasẹ aiyipada /etc/kubernetes/manifests/kube-apiserver.yaml.

Abajade konfigi yoo jẹ abajade si stdout. O nilo lati wa ni fipamọ ni ~/.kube/config iwe apamọ olumulo tabi si faili kan pato ni oniyipada ayika KUBECONFIG.

Ma wà jinle

Fun awọn ti o fẹ lati ni oye awọn ọran ti a ṣalaye daradara siwaju sii:

• lọtọ ìwé lori ṣiṣẹ pẹlu awọn iwe-ẹri ninu awọn iwe aṣẹ Kubernetes;
• ti o dara article lati Bitnami, ninu eyiti ọrọ ti awọn iwe-ẹri ti fi ọwọ kan lati oju-ọna ti o wulo.
• gbogboogbo iwe lori ìfàṣẹsí ni Kubernetes.

Aṣẹ

Iwe ipamọ ti a fun ni aṣẹ aiyipada ko ni awọn ẹtọ lati ṣiṣẹ lori iṣupọ naa. Lati fun awọn igbanilaaye laaye, Kubernetes ṣe ilana ilana aṣẹ kan.

Ṣaaju si ẹya 1.6, Kubernetes lo iru aṣẹ ti a pe ABAC (Iṣakoso wiwọle-orisun abuda). Awọn alaye nipa rẹ ni a le rii ni osise iwe aṣẹ. Ọna yii ni a ka pe ogún ni lọwọlọwọ, ṣugbọn o tun le lo pẹlu awọn iru ijẹrisi miiran.

Ọna lọwọlọwọ (ati irọrun diẹ sii) ti pinpin awọn ẹtọ iwọle si iṣupọ ni a pe RBAC (Iṣakoso wiwọle orisun ipa). O ti sọ diduro lati igba ti ikede Kubernetes 1.8. RBAC ṣe imuse awoṣe ẹtọ kan ninu eyiti ohun gbogbo ti ko gba laaye ni gbangba jẹ eewọ.
Lati mu RBAC ṣiṣẹ, o nilo lati bẹrẹ Kubernetes api-server pẹlu paramita --authorization-mode=RBAC. Awọn paramita ti ṣeto ni iṣafihan pẹlu iṣeto olupin api, eyiti o wa nipasẹ aiyipada ni ọna /etc/kubernetes/manifests/kube-apiserver.yaml, ni apakan command. Sibẹsibẹ, RBAC ti ṣiṣẹ tẹlẹ nipasẹ aiyipada, nitorinaa o ṣeese ko yẹ ki o ṣe aibalẹ nipa rẹ: o le rii daju eyi nipasẹ iye authorization-mode (ninu ti a ti sọ tẹlẹ kube-apiserver.yaml). Nipa ọna, laarin awọn itumọ rẹ awọn iru aṣẹ miiran le wa (node, webhook, always allow), ṣugbọn a yoo fi wọn ero ita awọn dopin ti awọn ohun elo.

Nipa ọna, a ti ṣe atẹjade tẹlẹ nkan pẹlu ijuwe alaye pipe ti awọn ipilẹ ati awọn ẹya ti ṣiṣẹ pẹlu RBAC, nitorinaa siwaju Emi yoo fi opin si ara mi si atokọ kukuru ti awọn ipilẹ ati awọn apẹẹrẹ.

Awọn nkan API wọnyi ni a lo lati ṣakoso iraye si ni Kubernetes nipasẹ RBAC:

• Role и ClusterRole - awọn ipa ti o ṣiṣẹ lati ṣe apejuwe awọn ẹtọ wiwọle:
• Role gba ọ laaye lati ṣe apejuwe awọn ẹtọ laarin aaye orukọ;
• ClusterRole - laarin iṣupọ, pẹlu si awọn ohun kan pato iṣupọ gẹgẹbi awọn apa, awọn url ti kii ṣe awọn orisun (ie ko ni ibatan si awọn orisun Kubernetes - fun apẹẹrẹ, /version, /logs, /api*);
• RoleBinding и ClusterRoleBinding - lo fun abuda Role и ClusterRole si olumulo, ẹgbẹ olumulo tabi Account Service.

Awọn ẹya ipa ati RoleBinding ni opin nipasẹ aaye orukọ, i.e. gbọdọ wa laarin aaye orukọ kanna. Sibẹsibẹ, RoleBinding le tọka ClusterRole kan, eyiti o fun ọ laaye lati ṣẹda akojọpọ awọn igbanilaaye jeneriki ati iraye si iṣakoso nipa lilo wọn.

Awọn ipa ṣe apejuwe awọn ẹtọ nipa lilo awọn ipilẹ ti awọn ofin ti o ni:

• API awọn ẹgbẹ - wo osise iwe aṣẹ nipasẹ apiGroups ati o wu kubectl api-resources;
• awọn ohun elo (oro: pod, namespace, deployment ati bẹbẹ lọ.);
• Awọn ọrọ-ọrọ (awọn ọrọ-ọrọ: set, update ati bẹbẹ lọ.).
• awọn orukọ orisun (resourceNames) - fun ọran naa nigbati o nilo lati pese iraye si orisun kan pato, kii ṣe gbogbo awọn orisun ti iru yii.

Ayẹwo alaye diẹ sii ti aṣẹ ni Kubernetes ni a le rii lori oju-iwe naa osise iwe aṣẹ. Dipo (tabi dipo, ni afikun si eyi), Emi yoo fun awọn apẹẹrẹ ti o ṣe apejuwe iṣẹ rẹ.

Awọn apẹẹrẹ ti awọn nkan RBAC

Rọrun Role, eyiti o fun ọ laaye lati gba atokọ ati ipo awọn adarọ-ese ati ṣe atẹle wọn ni aaye orukọ target-namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: target-namespace
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

Apeere: ClusterRole, eyiti o fun ọ laaye lati gba atokọ ati ipo awọn adarọ-ese ati ṣe atẹle wọn jakejado iṣupọ:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # секции "namespace" нет, так как ClusterRole задействует весь кластер
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

Apeere: RoleBinding, eyiti ngbanilaaye olumulo mynewuser awọn adarọ-ese “ka” ni aaye orukọ my-namespace:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: target-namespace
subjects:
- kind: User
  name: mynewuser # имя пользователя зависимо от регистра!
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role # здесь должно быть “Role” или “ClusterRole”
  name: pod-reader # имя Role, что находится в том же namespace,
                   # или имя ClusterRole, использование которой
                   # хотим разрешить пользователю
  apiGroup: rbac.authorization.k8s.io

Ayẹwo iṣẹlẹ

Sikematiki, faaji Kubernetes le jẹ aṣoju bi atẹle:

Awọn bọtini Kubernetes paati lodidi fun processing awọn ibeere ni api-olupin. Gbogbo awọn iṣẹ ṣiṣe lori iṣupọ lọ nipasẹ rẹ. O le ka diẹ sii nipa awọn ẹrọ inu inu wọnyi ninu nkan naa “Kini yoo ṣẹlẹ ni Kubernetes nigbati o ba ṣiṣẹ kubectl?».

Ṣiṣayẹwo eto jẹ ẹya ti o nifẹ ninu Kubernetes, eyiti o jẹ alaabo nipasẹ aiyipada. O gba ọ laaye lati wọle gbogbo awọn ipe si Kubernetes API. Bi o ṣe le gboju, gbogbo awọn iṣe ti o jọmọ abojuto ati yiyipada ipo iṣupọ naa ni a ṣe nipasẹ API yii. Apejuwe ti o dara ti awọn agbara rẹ le (gẹgẹbi igbagbogbo) wa ninu osise iwe aṣẹ K8s. Nigbamii, Emi yoo gbiyanju lati ṣafihan koko-ọrọ ni ede ti o rọrun.

Ati bẹ, lati jeki iṣatunṣe, a nilo lati kọja awọn aye ti o nilo mẹta si eiyan ni api-server, eyiti a ṣe apejuwe ni awọn alaye diẹ sii ni isalẹ:

• --audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml
• --audit-log-path=/var/log/kube-audit/audit.log
• --audit-log-format=json

Ni afikun si awọn aye pataki mẹta wọnyi, ọpọlọpọ awọn eto afikun wa ti o ni ibatan si iṣatunṣe: lati yiyi log si awọn apejuwe webhook. Apẹẹrẹ ti awọn paramita iyipo log:

• --audit-log-maxbackup=10
• --audit-log-maxsize=100
• --audit-log-maxage=7

Ṣugbọn a ko ni gbe lori wọn ni awọn alaye diẹ sii - o le wa gbogbo awọn alaye ni kube-apiserver iwe aṣẹ.

Gẹgẹbi a ti sọ tẹlẹ, gbogbo awọn paramita ti ṣeto ni ifihan pẹlu iṣeto olupin api (nipasẹ aiyipada /etc/kubernetes/manifests/kube-apiserver.yaml), ni apakan command. Jẹ ki a pada si awọn paramita 3 ti o nilo ki o ṣe itupalẹ wọn:

1. audit-policy-file - ọna si faili YAML ti n ṣe apejuwe eto imulo iṣayẹwo. A yoo pada si awọn akoonu rẹ nigbamii, ṣugbọn fun bayi Emi yoo ṣe akiyesi pe faili gbọdọ jẹ kika nipasẹ ilana api-server. Nitorinaa, o jẹ dandan lati gbe e sinu apoti, eyiti o le ṣafikun koodu atẹle si awọn apakan ti o yẹ ti atunto:

     volumeMounts:
       - mountPath: /etc/kubernetes/policies
         name: policies
         readOnly: true
     volumes:
     - hostPath:
         path: /etc/kubernetes/policies
         type: DirectoryOrCreate
       name: policies

2. audit-log-path - ọna si faili log. Ọna naa gbọdọ tun wa si ilana api-server, nitorinaa a ṣe apejuwe iṣagbesori rẹ ni ọna kanna:

     volumeMounts:
       - mountPath: /var/log/kube-audit
         name: logs
         readOnly: false
     volumes:
     - hostPath:
         path: /var/log/kube-audit
         type: DirectoryOrCreate
       name: logs

3. audit-log-format - se ayewo log kika. Awọn aiyipada ni json, ṣugbọn ọna kika ọrọ julọ tun wa (legacy).

Ayẹwo Afihan

Bayi nipa faili ti a mẹnuba ti n ṣe apejuwe eto imulo gedu. Agbekale akọkọ ti eto imulo iṣayẹwo jẹ level, ipele gedu. Wọn jẹ bi wọnyi:

• None - ma ṣe wọle;
• Metadata - metadata ibeere log: olumulo, akoko ibeere, orisun ibi-afẹde (podu, aaye orukọ, ati bẹbẹ lọ), iru iṣe (ọrọ-ọrọ), ati bẹbẹ lọ;
• Request - metadata wọle ati ara ibeere;
• RequestResponse - metadata wọle, ara beere ati ara idahun.

Awọn ipele meji ti o kẹhin (Request и RequestResponse) ma ṣe wọle awọn ibeere ti ko wọle si awọn orisun (awọn iraye si awọn url ti kii ṣe awọn orisun).

Tun gbogbo awọn ibeere lọ nipasẹ orisirisi awọn ipele:

• RequestReceived - awọn ipele nigbati awọn ìbéèrè ti wa ni gba nipasẹ awọn isise ati ki o ko sibẹsibẹ a ti zqwq siwaju pẹlú awọn pq ti nse;
• ResponseStarted - Awọn akọle idahun ni a firanṣẹ, ṣugbọn ṣaaju fifiranṣẹ ara idahun. Ti ipilẹṣẹ fun awọn ibeere igba pipẹ (fun apẹẹrẹ, watch);
• ResponseComplete - Ara idahun ti firanṣẹ, ko si alaye diẹ sii ti yoo firanṣẹ;
• Panic - awọn iṣẹlẹ jẹ ipilẹṣẹ nigbati a ba rii ipo ajeji.

Lati foju eyikeyi awọn igbesẹ ti o le lo omitStages.

Ninu faili eto imulo, a le ṣe apejuwe awọn apakan pupọ pẹlu awọn ipele gedu ti o yatọ. Ofin ibamu akọkọ ti a rii ni apejuwe eto imulo yoo lo.

Kubelet daemon n ṣe abojuto awọn ayipada ninu iṣafihan pẹlu iṣeto olupin api ati, ti eyikeyi ba rii, tun eiyan naa bẹrẹ pẹlu olupin api. Ṣugbọn alaye pataki kan wa: awọn ayipada ninu faili eto imulo yoo jẹ alaimọ nipasẹ rẹ. Lẹhin ṣiṣe awọn ayipada si faili eto imulo, iwọ yoo nilo lati tun api-server bẹrẹ pẹlu ọwọ. Niwon api-server ti wa ni bere bi aimi podu, egbe kubectl delete kii yoo jẹ ki o tun bẹrẹ. Iwọ yoo ni lati ṣe pẹlu ọwọ docker stop lori kube-masters, nibiti eto imulo iṣayẹwo ti yipada:

docker stop $(docker ps | grep k8s_kube-apiserver | awk '{print $1}')

Nigbati o ba mu iṣatunṣe ṣiṣẹ, o ṣe pataki lati ranti iyẹn awọn fifuye lori kube-apiserver posi. Ni pataki, agbara iranti fun titoju ipo ipo ibeere pọ si. Wọle bẹrẹ nikan lẹhin ti o ti firanṣẹ akọsori esi. Ẹru naa tun da lori iṣeto eto imulo iṣayẹwo.

Awọn apẹẹrẹ ti awọn eto imulo

Jẹ ki a wo ọna ti awọn faili eto imulo nipa lilo awọn apẹẹrẹ.

Eyi ni faili ti o rọrun policylati wọle ohun gbogbo ni ipele Metadata:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata

Ninu eto imulo o le pato atokọ ti awọn olumulo (Users и ServiceAccounts) ati awọn ẹgbẹ olumulo. Fun apẹẹrẹ, eyi ni bii a ṣe le foju kọ awọn olumulo eto, ṣugbọn wọle ohun gbogbo miiran ni ipele naa Request:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  - level: None
    userGroups:
      - "system:serviceaccounts"
      - "system:nodes"
    users:
      - "system:anonymous"
      - "system:apiserver"
      - "system:kube-controller-manager"
      - "system:kube-scheduler"
  - level: Request

O tun ṣee ṣe lati ṣe apejuwe awọn ibi-afẹde:

• awọn aaye orukọ (namespaces);
• Awọn ọrọ-ọrọ (awọn ọrọ-ọrọ: get, update, delete ati awọn miiran);
• awọn ohun elo (oro, eyun: pod, configmaps ati bẹbẹ lọ) ati awọn ẹgbẹ orisun (apiGroups).

San ifojusi! Awọn orisun ati awọn ẹgbẹ orisun (awọn ẹgbẹ API, ie apiGroups), ati awọn ẹya wọn ti a fi sii sinu iṣupọ, le ṣee gba ni lilo awọn aṣẹ:

kubectl api-resources
kubectl api-versions

Ilana iṣayẹwo atẹle ti pese bi iṣafihan awọn iṣe ti o dara julọ ni Alibaba Cloud iwe aṣẹ:

apiVersion: audit.k8s.io/v1beta1
kind: Policy
# Не логировать стадию RequestReceived
omitStages:
  - "RequestReceived"
rules:
  # Не логировать события, считающиеся малозначительными и не опасными:
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
      - group: "" # это api group с пустым именем, к которому относятся
                  # базовые ресурсы Kubernetes, называемые “core”
        resources: ["endpoints", "services"]
  - level: None
    users: ["system:unsecured"]
    namespaces: ["kube-system"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["configmaps"]
  - level: None
    users: ["kubelet"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    userGroups: ["system:nodes"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["nodes"]
  - level: None
    users:
      - system:kube-controller-manager
      - system:kube-scheduler
      - system:serviceaccount:kube-system:endpoint-controller
    verbs: ["get", "update"]
    namespaces: ["kube-system"]
    resources:
      - group: "" # core
        resources: ["endpoints"]
  - level: None
    users: ["system:apiserver"]
    verbs: ["get"]
    resources:
      - group: "" # core
        resources: ["namespaces"]
  # Не логировать обращения к read-only URLs:
  - level: None
    nonResourceURLs:
      - /healthz*
      - /version
      - /swagger*
  # Не логировать сообщения, относящиеся к типу ресурсов “события”:
  - level: None
    resources:
      - group: "" # core
        resources: ["events"]
  # Ресурсы типа Secret, ConfigMap и TokenReview могут содержать  секретные данные,
  # поэтому логируем только метаданные связанных с ними запросов
  - level: Metadata
    resources:
      - group: "" # core
        resources: ["secrets", "configmaps"]
      - group: authentication.k8s.io
        resources: ["tokenreviews"]
  # Действия типа get, list и watch могут быть ресурсоёмкими; не логируем их
  - level: Request
    verbs: ["get", "list", "watch"]
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Уровень логирования по умолчанию для стандартных ресурсов API
  - level: RequestResponse
    resources:
      - group: "" # core
      - group: "admissionregistration.k8s.io"
      - group: "apps"
      - group: "authentication.k8s.io"
      - group: "authorization.k8s.io"
      - group: "autoscaling"
      - group: "batch"
      - group: "certificates.k8s.io"
      - group: "extensions"
      - group: "networking.k8s.io"
      - group: "policy"
      - group: "rbac.authorization.k8s.io"
      - group: "settings.k8s.io"
      - group: "storage.k8s.io"
  # Уровень логирования по умолчанию для всех остальных запросов
  - level: Metadata

Miran ti o dara apẹẹrẹ ti se ayewo eto imulo ni profaili ti a lo ninu GCE.

Lati yarayara dahun si awọn iṣẹlẹ iṣayẹwo, o ṣee ṣe apejuwe webhook. Oro yii wa ninu osise iwe aṣẹ, Emi yoo fi silẹ ni ita aaye ti nkan yii.

Awọn esi

Nkan naa n pese akopọ ti awọn ọna aabo ipilẹ ni awọn iṣupọ Kubernetes, eyiti o gba ọ laaye lati ṣẹda awọn akọọlẹ olumulo ti ara ẹni, ya awọn ẹtọ wọn, ati ṣe igbasilẹ awọn iṣe wọn. Mo nireti pe yoo wulo fun awọn ti o dojuko iru awọn ọran ni imọran tabi ni iṣe. Mo tun ṣeduro pe ki o ka atokọ ti awọn ohun elo miiran lori koko ti aabo ni Kubernetes, eyiti a fun ni “PS” - boya laarin wọn iwọ yoo wa awọn alaye pataki lori awọn iṣoro ti o ṣe pataki si ọ.

PS

Ka tun lori bulọọgi wa:

• «33+ Kubernetes aabo irinṣẹ»;
• «Ifihan si Awọn ilana Nẹtiwọọki Kubernetes fun Awọn akosemose Aabo»;
• «Oye RBAC ni Kubernetes»;
• «9 Awọn iṣe ti o dara julọ fun Aabo Kubernetes»;
• «Awọn ọna 11 lati (kii ṣe) Di olufaragba gige Kubernetes kan».

orisun: www.habr.com