728x90
반응형
Practice Test - Service Account
$ k get sa
NAME SECRETS AGE
default 0 25m
dev 0 65s
## pod에서 사용 중인 sa 확인
$ k get po
NAME READY STATUS RESTARTS AGE
web-dashboard-65b9cf6cbb-zktnp 1/1 Running 0 2m10s
$ k get po web-dashboard-65b9cf6cbb-zktnp -o yaml | grep -i account
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
serviceAccount: default
serviceAccountName: default
- serviceAccountToken:
## sa credential mount path 확인
$ k describe po web-dashboard-65b9cf6cbb-zktnp | grep -i mount -A 3
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-mjh4l (ro)
Conditions:
Type Status
## sa 생성
$ k create sa dashboard-sa
serviceaccount/dashboard-sa created
## token 생성
$ kubectl create token dashboard-sa
## deployment sa 수정
$ k get deploy
NAME READY UP-TO-DATE AVAILABLE AGE
web-dashboard 1/1 1 1 10m
## 방법 1
$ k edit deploy web-dashboard
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "2"
creationTimestamp: "2023-05-13T01:02:06Z"
generation: 2
name: web-dashboard
namespace: default
resourceVersion: "1440"
uid: 40685542-0e05-4c41-bc66-78823a990682
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
name: web-dashboard
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
name: web-dashboard
spec:
serviceAccountName: dashboard-sa
containers:
- env:
- name: PYTHONUNBUFFERED
value: "1"
image: gcr.io/kodekloud/customimage/my-kubernetes-dashboard
...
## 방법 2
$ k set serviceaccount deploy/web-dashboard dashboard-saPractice Test - Image Security
## secret 종류 확인
$ kubectl create secret --help
Create a secret using specified subcommand.
Available Commands:
docker-registry Create a secret for use with a Docker registry
generic Create a secret from a local file, directory, or literal value
tls Create a TLS secret
Usage:
kubectl create secret [flags] [options]
Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).
## docker-registry secret 생성
$ kubectl create secret docker-registry private-reg-cred \
--docker-username='dock_user' \
--docker-password='dock_password' \
--docker-server='myprivateregistry.com:5000' \
--docker-email='dock_user@myprivateregistry.com'
## deployment에 imagepullsecret 설정
$ k edit deploy web
...
spec:
containers:
- image: myprivateregistry.com:5000/nginx:alpine
imagePullPolicy: IfNotPresent
name: nginx
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullSecrets:
- name: private-reg-cred
...Practice Test - Security Context
## pod 내 컨테이너 run user 설정
$ k edit po ubuntu-sleeper
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2023-05-14T07:55:52Z"
name: ubuntu-sleeper
namespace: default
resourceVersion: "860"
uid: 5392c148-f7a2-460c-9b82-3a0c5b929b7b
spec:
containers:
- command:
- sleep
- "4800"
image: ubuntu
securityContext:
runAsUser: 1010
imagePullPolicy: Always
...
## pod 재생성
$ k replace -f /tmp/kubectl-edit-931779973.yaml --forcePod 내 security contexts 확인
apiVersion: v1
kind: Pod
metadata:
name: multi-pod
spec:
securityContext:
runAsUser: 1001
containers:
- image: ubuntu
name: web
command: ["sleep", "5000"]
securityContext:
runAsUser: 1002
- image: ubuntu
name: sidecar
command: ["sleep", "5000"]Pod내 컨테이너 root 권한 실행 및 'SYS_TIME', 'NET_ADMIN' 권한 추가
$ k edit po ubuntu-sleeper
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2023-05-14T08:02:51Z"
name: ubuntu-sleeper
namespace: default
resourceVersion: "998"
uid: 49cae197-cb32-4b29-824b-562a6a6d36e7
spec:
containers:
- command:
- sleep
- "4800"
image: ubuntu
imagePullPolicy: Always
name: ubuntu
resources: {}
securityContext:
runAsUser: 0
capabilities:
add: ["SYS_TIME", "NET_ADMIN"]
...
$ k replace -f /tmp/kubectl-edit-4046308418.yaml --forcePractice Test - Network Policy
$ k get networkpolicy -A
NAMESPACE NAME POD-SELECTOR AGE
default payroll-policy name=payroll 66s
## network policy가 적용된 pod 확인
$ k get po -l name=payroll
NAME READY STATUS RESTARTS AGE
payroll 1/1 Running 0 2m30s
$ k get networkpolicy payroll-policy -o yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"networking.k8s.io/v1","kind":"NetworkPolicy","metadata":{"annotations":{},"name":"payroll-policy","namespace":"default"},"spec":{"ingress":[{"from":[{"podSelector":{"matchLabels":{"name":"internal"}}}],"ports":[{"port":8080,"protocol":"TCP"}]}],"podSelector":{"matchLabels":{"name":"payroll"}},"policyTypes":["Ingress"]}}
creationTimestamp: "2023-05-14T08:11:47Z"
generation: 1
name: payroll-policy
namespace: default
resourceVersion: "3815"
uid: 50ae1edd-a2a9-4bba-956d-a801bec0f2f6
spec:
ingress:
- from:
- podSelector:
matchLabels:
name: internal
ports:
- port: 8080
protocol: TCP
podSelector:
matchLabels:
name: payroll
policyTypes:
- Ingress
status: {}신규 network policy 생성
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: internal-policy
namespace: default
spec:
podSelector:
matchLabels:
name: internal
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
name: payroll
ports:
- protocol: TCP
port: 8080
- to:
- podSelector:
matchLabels:
name: mysql
ports:
- protocol: TCP
port: 3306
728x90
'기타 > 자격증' 카테고리의 다른 글
| [CKA][실습] 8. Install (0) | 2023.06.19 |
|---|---|
| [CKA][실습] 7. Storage (0) | 2023.06.12 |
| [CKA][실습] 6. Security (3) (1) | 2023.05.11 |
| [CKA][실습] 6. Security (0) | 2023.03.06 |
| [CKA][실습] 5. Cluster Maintenance (2) | 2023.02.26 |