Add to collection(s) Add to saved
  1. No category
Uploaded by ashishshahane2711

k8 security

advertisement 
##############Security################
openssl x509 -in <> -text -noout
#########
CA certs:
opnessl genrsa -out ca.key 2048
openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr
openssl x509 -req -in cert ca.csr -signkey -out ca.crt
clinet certs
openssl genrsa -out admin.key 2048
openssl req -new -key admin.key "/CN=kube-admin /O=system:masters" -out admin.csr
openssl x509 -req -in -CA ca.crt -CAkey ca.key -out admin.crt
################################################
K8 has faclity to sign certificates for you for that you need to take signing request and create yaml file
echo "" | bas64
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: akshay
spec:
groups:
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXk5dit1V3l0bzZPK0NMYkp0UndrdWVJRys1TUtJanFrZURoeDZaMStyUXFGCmRBbTVMUmFCRFR6WHBOVkwrbi9NOVY3VGk1T2s1RE4rbXZ0bzVUdEVCem85ZklKMUJTaDZKVE9RSGZmZ0lMTGEKVGNMeEpzOS9lcVlRUEdKOXVyaXpnMyt6NWhkSE41bldCeXlwTDFYNXV0NHBKTGxyRzJkbmZ5MlFmTDg4cDdKQQpDODlLcjJaWEpublE4dHZ3R0hYdTRIU3hkWHZRL3BtTkQzUDRTaTI5TzNNRW9vejFIbUNYZ1lVNndaWXptbHBDCmtWeTF3Qzdjd041R09JdThOSlFlUE5ieS9TZWFBelBWczNpNVBML2xjNG1kZ0wyZUkvcTdtbyttdkhVR0VLYVgKRVJhem1haXliTjBYYkFZOWtJTkJWTG1DblMrQlZGSDl0WTdTeXVFc3hRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBRlVKS2hYUVdEMWFDbTFjTmJnRDZ5OGtmWXIvaTVlZWF1Q0huMEg0aDNoNTRjTWlyN1BqCmtVTmJyMXBpd1hlaHVlMXlPM093KzFIcVV2Vlg4dHlnSHJIa1RLdVdDb0oxbVRVWCs5bFNHeFNsdGpXZ2xoeGEKVjJnVUtGYXZ6Nk1qZFp2ZG9uYXVSRG90aHZjR1RNS1lEd1hvWVQwNlI1bXZxSFRuR3NZRTQyZ2tFeXZPMGs0ZAp5dG9IYWV1ZDdqeHFWeHZmVVlxVjd6dWlJQ3ZwQWYwUVFYemZvZ3dNSC9GUXQwaUI5RWdyMzNxaVh2WmlZOFhDClFMRUovVWxnMGJaSWxmd2tJcS9OckJVUXBhbE9WQkdEbytsWkZpT0c5d0RpTmVhSXNHSUtJQWNXbzhSaDVSVysKd25Vc3dLeEpscXJLdEQrNUt2Q24ySS84VXpsekJtWTZsVXM9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
usages:
- digital signature
- key encipherment
- server auth
kubectl get csr
kubectl certificate approve jane
kubectl certificate deny <name>
kubectl delete csr <name of csr>
kubectl get csr jane -o yaml
##############
kubectl config view
apiVersion: v1
kind: Config
clusters:
contexts:
users:
- name: my-kube-playground
- name: my-kube-admin@my-kube-playground
- name: my-kube-admin
(values hidden…)
- name: development
- name: production
- name: google
- name: admin
- name: dev-user
- name: prod-user
kubectl config view –kubeconfig=my-custom-config
To set the context
kubectl config --kubeconfig=my-kube-config use-context <name f context>
###############
Kube api access
curl https://kube-master:6443/version
curl https://kube-master:6443/api/v1/pods
curl http://localhost:6443/apis -k | grep “name
use proxy
curl http://localhost:8001 -k
########
RBAC
To create role
kubectl create -f developer-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: [ "list“,“create“ ]
- apiGroups: [""]
resources: [“ConfigMap"]
verbs: [“create“]
To bind the user to role
kubectl create -f devuser-developer-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-user-binding
subjects:
- kind: User
name: dev-user-binding
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: developer
apiGroup: rbac.authorization.k8s.io
o check the roles
kubectl get role
o check the bindings
kubectl get rolebindings
o describe the role
kubectl describe role developer
kubectl describe rolebinding devuser-developer-binding
To check access
kubectl auth can-i create deployments kubectl auth can-i create deployments --as dev-user --namespace test
limit the access apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
rules:
- apiGroups : [""]
resources: ["pod"]
verbs: [" get", “create“, “delete"]
resourceNames: [“blue“, “green"]
##########Cluster roles #############
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: michelle
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: [ "list" ]
- apiGroups: [""]
resources: [“ConfigMap"]
verbs: [“create“]
To bind the user to role
kubectl create -f devuser-developer-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: michelle
subjects:
- kind: User
name: michelle
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: michelle
apiGroup: rbac.authorization.k8s.io
kubectl api-resources --namespaced=true to check into ns
kubectl api-resources --namespaced=true clusterwise
to check cluster wise roles:
kubectl get clusterroles --no-headers | wc -l
To check clusterbindings:
kubectl get clusterrolebindings --no-headers | wc -l
################Image security####################
image: docker.io which is registery
nginx which is username
nginx: image
kubectl create secret docker-registry private-reg-cred \
--docker-server=myprivateregistry.com:5000 \
--docker-username=dock_user\
--docker-password=dock_password\
--docker-email=dock_user@myprivateregistry.com
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod
spec:
containers:
- name: nginx
image: nginx
imagePullSecrets:
- name: regcred
##############Security context###################
POD level
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod
spec:
securityContext:
runAsUser: 1000
containers:
- name: nginx
image: nginx
command: ["sleep","3600"]
imagePullSecrets:
- name: regcred
Container level
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod
spec:
containers:
- name: nginx
image: nginx
command: ["sleep","3600"]
securityContext:
runAsUser: 1000
capabilities:
add: ["MAC_ADMIN"]
imagePullSecrets:
- name: regcred
#######Network policy###############
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: internal-policy
spec:
podSelector: #ths will slect for which pod
matchLables:
role: db policyTypes:
- Ingress ingress:
- from:
- podSelector: #this will select from which pod you want to allow traffic
matchLables:
name: api-pod ports:
- protocol: TCP
port: 3306
#######EGRESS
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: internal-policy
spec:
podSelector: #ths will slect for which pod
matchLables:
role: db policyTypes:
- Egress egress:
- to:
- podSelector: #this will select from which pod you want to allow traffic
matchLables:
name: api-pod ports:
- protocol: TCP
port: 8080 - to: - podSelector: #this will select from which pod you want to allow traffic
matchLables:
name: api-pod ports:
- protocol: TCP
port: 3306
Download
advertisement