기타/자격증

[CKA][실습] 6. Security (3)

백곰곰 2023. 5. 11. 23:09
728x90
반응형

Practice Test - Role-based-access-controls

bash
## kube-apiserver rbac 모드 확인 (Node,RBAC) $ ps -ef | grep api root 3363 2825 0 08:21 ? 00:00:24 kube-apiserver --advertise-address=192.22.228.9 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/12 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key ## role 확인 $ k get role -A NAMESPACE NAME CREATED AT blue developer 2023-05-11T12:24:52Z kube-public kubeadm:bootstrap-signer-clusterinfo 2023-05-11T12:21:50Z kube-public system:controller:bootstrap-signer 2023-05-11T12:21:49Z kube-system extension-apiserver-authentication-reader 2023-05-11T12:21:48Z kube-system kube-proxy 2023-05-11T12:21:52Z kube-system kubeadm:kubelet-config 2023-05-11T12:21:49Z kube-system kubeadm:nodes-kubeadm-config 2023-05-11T12:21:49Z kube-system system::leader-locking-kube-controller-manager 2023-05-11T12:21:48Z kube-system system::leader-locking-kube-scheduler 2023-05-11T12:21:48Z kube-system system:controller:bootstrap-signer 2023-05-11T12:21:48Z kube-system system:controller:cloud-provider 2023-05-11T12:21:48Z kube-system system:controller:token-cleaner 2023-05-11T12:21:48Z $ k describe role kube-proxy -n kube-system Name: kube-proxy Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- configmaps [] [kube-proxy] [get] ## kube-proxy role이 할당된 account 확인 $ k get rolebinding -n kube-system NAME ROLE AGE kube-proxy Role/kube-proxy 9m31s kubeadm:kubelet-config Role/kubeadm:kubelet-config 9m34s kubeadm:nodes-kubeadm-config Role/kubeadm:nodes-kubeadm-config 9m34s system::extension-apiserver-authentication-reader Role/extension-apiserver-authentication-reader 9m34s system::leader-locking-kube-controller-manager Role/system::leader-locking-kube-controller-manager 9m34s system::leader-locking-kube-scheduler Role/system::leader-locking-kube-scheduler 9m34s system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 9m34s system:controller:cloud-provider Role/system:controller:cloud-provider 9m34s system:controller:token-cleaner Role/system:controller:token-cleaner 9m34s $ k describe rolebinding kube-proxy -n kube-system Name: kube-proxy Labels: <none> Annotations: <none> Role: Kind: Role Name: kube-proxy Subjects: Kind Name Namespace ---- ---- --------- Group system:bootstrappers:kubeadm:default-node-token ## dev-user 권한 확인 $ kubectl auth can-i get po -n default --as dev-user no

role 및 rolebinding 생성

bash
--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: developer rules: - apiGroups: [""] resources: ["pods"] verbs: ["list", "create", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: dev-user-binding namespace: default subjects: - kind: User name: dev-user apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: developer apiGroup: rbac.authorization.k8s.io

권한 확인

bash
$ k auth can-i create po -n default --as dev-user yes $ k get role -n blue NAME CREATED AT developer 2023-05-11T12:24:52Z $ k describe role developer -n blue Name: developer Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [blue-app] [get watch create delete]

role 수정 (dark-blue-app 추가)

bash
$ k edit role developer -n blue # Please edit the object below. Lines beginning with a '#' will be ignored, # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. # apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: "2023-05-11T12:24:52Z" name: developer namespace: blue resourceVersion: "684" uid: 42f67521-51a9-449a-8081-34bdbf556db0 rules: - apiGroups: - "" resourceNames: - blue-app - dark-blue-app resources: - pods verbs: - get - watch - create - delete $ k auth can-i get po/dark-blue-app -n blue --as dev-user yes ## deployment create 권한 추가 $ k edit role developer -n blue apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: "2023-05-11T12:24:52Z" name: developer namespace: blue resourceVersion: "2142" uid: 42f67521-51a9-449a-8081-34bdbf556db0 rules: - apiGroups: - "" resourceNames: - blue-app - dark-blue-app resources: - pods verbs: - get - watch - create - delete - apiGroups: - "apps" resources: - deployments verbs: - create

Practice Test - Cluster Roles

bash
$ k get clusterroles -A | tail -n +2 | wc -l 69 $ k get clusterrolebinding -A | tail -n +2 | wc -l 54 $ k get clusterrolebinding | grep admin cluster-admin ClusterRole/cluster-admin 61m kube-apiserver-kubelet-admin ClusterRole/system:kubelet-api-admin 61m helm-kube-system-traefik ClusterRole/cluster-admin 61m helm-kube-system-traefik-crd ClusterRole/cluster-admin 61m controlplane ~ ➜ k describe clusterrolebinding cluster-admin Name: cluster-admin Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: true Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- Group system:masters $ k describe clusterrole cluster-admin Name: cluster-admin Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- *.* [] [] [*] [*] [] [*]

 

clusterrole, clusterrolebinding 생성

bash
--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: node-role rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get","list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: node-role subjects: - kind: User name: michelle apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: node-role apiGroup: rbac.authorization.k8s.io

storage 관련 권한 추가

bash
## api 정보 확인 $ kubectl api-resources | grep sc horizontalpodautoscalers hpa autoscaling/v2 true HorizontalPodAutoscaler endpointslices discovery.k8s.io/v1 true EndpointSlice flowschemas flowcontrol.apiserver.k8s.io/v1beta3 false FlowSchema ingressclasses networking.k8s.io/v1 false IngressClass priorityclasses pc scheduling.k8s.io/v1 false PriorityClass storageclasses sc storage.k8s.io/v1 false StorageClass $ kubectl api-resources | grep pv persistentvolumeclaims pvc v1 true PersistentVolumeClaim persistentvolumes pv v1 false PersistentVolume
bash
--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: storage-admin rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get","list"] - apiGroups: ["storage.k8s.io/v1"] resources: ["storageclasses"] verbs: ["get","list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: michelle-storage-admin subjects: - kind: User name: michelle apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: storage-admin apiGroup: rbac.authorization.k8s.io
728x90

'기타 > 자격증' 카테고리의 다른 글

[CKA][실습] 7. Storage  (0) 2023.06.12
[CKA][실습] 6. Security (4)  (2) 2023.05.14
[CKA][실습] 6. Security  (0) 2023.03.06
[CKA][실습] 5. Cluster Maintenance  (2) 2023.02.26
[CKA][실습] 4. Application Lifecycle Management (2)  (0) 2023.02.19