Focusing on securing access to the communicties cluster with authentication mechanisms
kubectl create serviceaccount sa1kubectl get serviceaccount
kube-apiserver.service
ExecStart=/usr/local/bin/kube-apiserver \\
--advertise-address=${INTERNAL_IP} \\
--allow-privileged=true \\
--apiserver-count=3 \\
--authroization-mode=Node,RBAC \\
--bind-address=0.0.0.0 \\
--enable-swagger-ui=true \\
--etcd-servers=https://127.0.0.1:2379 \\
--event-ttl=1h \\
--runtime-config=api/all \\
--service-cluster-ip-range=10.32.0.0/24 \\
--service-node-port-range=30000-32767 \\
--v=2
--basic-auth-file=user-details.csv/etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --authorization-mode=Node,RBAC
- --advertise-address=172.17.0.107
- --allow-privileged=true
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --basic-auth-file=user-details.csv
image: k8s.gcr.io/kube-apiserver-amd64:v1.11.3
name: kube-apiserverAuthenticate User
[Static Password File]
curl -v -k https://master-node-ip:6443/api/v1/pods -u "user1:password123"user-details.csv
password123,user1,u001,group1
password123,user2,u002,group1
password123,user3,u003,group2
password123,user4,u004,group2
password123,user5,u005,group2
[Static Token File]
curl -v -k https://master-node-ip:6443/api/v1/pods --header "Authorization: Bearer KpjCVbI7dFKSDHKWERMSDkfuslkdf783SKDUC9kd"user-token-details.csv
KpjCVbI7dFKSDHKWERMSDkfuslkdf783SKDUC9kd,user10,u0010,group1
rjDKLjiedkSJif83lsDJFjid90kjsdlJK3lksdjF,user11,u0011,group1
ckjfEkdjfosijel3kdjfs98kdfjlikwkdjSkdfji,user12,u0012,group1
sklelDKjfoidVCKJf893klDKJFKsd89vkmdFjlsd,user13,u0013,group2
kEKdjodfkxckjlhEJFksoiuoi34dlke4fkjJkoij,user14,u0014,group2--token-auth-file=user-details.csv
[BASIC Authenctication 요약]
Kubernetes에서 기본 인증 설정
kubeadm 설정에서 기본 인증 구성
아래 파일을 로컬에서 생성
/tmp/users/user-details.csv
password123, user1, u0001
password123, user2, u0002
password123, user3, u0003
password123, user4, u0004
password123, user5, u0005
kubeadm에서 구성된 kube-apiserver Static POD를 편집하여 사용자 세부 정보를 전달한다. 파일은 다음 위치에 있다.
/etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion:v1
kind: Pod
metadata:
name: kube-apiserver
namespace: kube-system
spec:
container :
- command:
-kube-apiserver
<content-hidden>
image: k8s.gcr.io/kube-apiserver-amd64:v1.11.3
name: kube-apiserver
volumeMounts:
- mountPath: /tmp/users
name: usr-details
readOnly: true
volumes:
- hostPath:
path: /tmp/users
type: DirectoryOrCreate
name: usr-detailsbasic-auth file을 포함하여 kube-apiserver를 Startup 하도록 옵션을 변경
apiVersion:v1
kind: Pod
metadata:
name: kube-apiserver
namespace: kube-system
spec:
container :
- command:
- kube-apiserver
- --authorization-mode=Node,RBAC
<content-hidden>
- --basic-auth-file=/tmp/users/user-details.csv
image: k8s.gcr.io/kube-apiserver-amd64:v1.11.3
name: kube-apiserver
volumeMounts:
- mountPath: /tmp/users
name: usr-details
readOnly: true
volumes:
- hostPath:
path: /tmp/users
type: DirectoryOrCreate
name: usr-details필요한 경우 role과 role binding을 생성
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verb: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: user
name: user1
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io생성시에만 kube-api server로 사용자 credential을 사용하여 인증한다.
curl -v -k https://localhost:6443/api/v1/pods -u "user1:password123"
'CKA &. CKAD > Security' 카테고리의 다른 글
| Practice Test - Certificates API (0) | 2021.03.29 |
|---|---|
| Practice Test - View Certificates (0) | 2021.03.29 |
| TLS Certificates (0) | 2021.03.29 |
| TLS in Kubernetes (0) | 2021.03.29 |
| TLS (0) | 2021.03.28 |
