CKA &. CKAD/Security (15) 썸네일형 리스트형 Practice Test - KubeConfig we look at kubeconfig in kubernetes so far we have seen how to generate a certificate for a user. we have seen how a client use the certificate file and key to query the kubernetes REST API for list of Pods usin Curl. In this case my cluster is called my-kube-playground, so send a CURL request to the address of the kube-api server while passing in the pair of files along with the ca certifcate a.. Practice Test - Certificates API $ openssl genrsa -out jane.key 2048 jane.key $ openssl req -new -key jane.key -subj "/CN=jane" -out jane.csr cat jane.csr | base64 jane-csr.yaml apiVersion: certificates.k8s.io/v1beta1 kind: CertificateSigningRequest metadata: name: jane spec: groups - system:authenticated usage: - digital signature - key encipherment - server auth request: [cat jane.csr | base64 부분 추가] kubectl get csr kubectl c.. Practice Test - View Certificates cat /etc/kubernetes/manifest/kube-apiserver.yaml spec: containers: - command: - kube-apiserver - --advertise-address=172.17.0.31 - --allow-privileged=true - --authorization-mode=Node,RBAC - --client-ca-file=/etc/kubernetes/pki/ca.crt - --enable-admission-plugins=NodeRestriction - --enable-bootstrap-token-auth=true - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt - --etcd-certfile=/etc/kubernetes/.. TLS Certificates $ cat /etc/kuernetes/manifests/kube-apiserver.yaml spec: containers: - command: - kube-apiserver - --authorization-mode=Node,RBAC - --advertise-address=172.17.0.32 - --allow-privileged=true - --client-ca-file=/etc/kubernetes/pki/ca.crt - --disable-admission-plugins=PersistentVolumeLabel - --enable-admission-plugins=NodeRestriction - --enable-bootstrap-token-auth=true - --etcd-cafile=/etc/kuberne.. TLS in Kubernetes Open SSL을 통한 인증서 Pair 생성 ㅁ Certificate Authority (CA) ㅇ Generate Keys (ca.key) $ openssl genrsa -out ca.key 2048 ca.key ㅇ Certificate Signing Request $ openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr ca.csr ㅇ Sign Certificates $ openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt ca.crt ㅁ ADMIN USER ㅇ Generate Keys $ openssl genrsa -out admin.key 2048 admin.key ㅇ Certific.. TLS A certificate is used to guarantee trust between two parties during a transaction Scenario we're going to refer to the public lock as public key going forward now that you have got the idea that the ssh-keygen command we used earlier create a pair of keys for SSH purposes. so the format is bit different here we use the openssl command to generate a private and public key pair. and that's how the.. Authentication Focusing on securing access to the communicties cluster with authentication mechanisms kubectl create serviceaccount sa1 kubectl get serviceaccount kube-apiserver.service ExecStart=/usr/local/bin/kube-apiserver \\ --advertise-address=${INTERNAL_IP} \\ --allow-privileged=true \\ --apiserver-count=3 \\ --authroization-mode=Node,RBAC \\ --bind-address=0.0.0.0 \\ --enable-swagger-ui=true \\ --etcd-s.. 이전 1 2 다음
