기타/자격증

[CKA][실습] 6. Security (4)

백곰곰 2023. 5. 14. 17:42
728x90
반응형

Practice Test - Service Account

bash
$ k get sa NAME SECRETS AGE default 0 25m dev 0 65s ## pod에서 사용 중인 sa 확인 $ k get po NAME READY STATUS RESTARTS AGE web-dashboard-65b9cf6cbb-zktnp 1/1 Running 0 2m10s $ k get po web-dashboard-65b9cf6cbb-zktnp -o yaml | grep -i account - mountPath: /var/run/secrets/kubernetes.io/serviceaccount serviceAccount: default serviceAccountName: default - serviceAccountToken: ## sa credential mount path 확인 $ k describe po web-dashboard-65b9cf6cbb-zktnp | grep -i mount -A 3 Mounts: /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-mjh4l (ro) Conditions: Type Status ## sa 생성 $ k create sa dashboard-sa serviceaccount/dashboard-sa created ## token 생성 $ kubectl create token dashboard-sa ## deployment sa 수정 $ k get deploy NAME READY UP-TO-DATE AVAILABLE AGE web-dashboard 1/1 1 1 10m ## 방법 1 $ k edit deploy web-dashboard kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "2" creationTimestamp: "2023-05-13T01:02:06Z" generation: 2 name: web-dashboard namespace: default resourceVersion: "1440" uid: 40685542-0e05-4c41-bc66-78823a990682 spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: name: web-dashboard strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: creationTimestamp: null labels: name: web-dashboard spec: serviceAccountName: dashboard-sa containers: - env: - name: PYTHONUNBUFFERED value: "1" image: gcr.io/kodekloud/customimage/my-kubernetes-dashboard ... ## 방법 2 $ k set serviceaccount deploy/web-dashboard dashboard-sa

Practice Test - Image Security

text
## secret 종류 확인 $ kubectl create secret --help Create a secret using specified subcommand. Available Commands: docker-registry Create a secret for use with a Docker registry generic Create a secret from a local file, directory, or literal value tls Create a TLS secret Usage: kubectl create secret [flags] [options] Use "kubectl <command> --help" for more information about a given command. Use "kubectl options" for a list of global command-line options (applies to all commands). ## docker-registry secret 생성 $ kubectl create secret docker-registry private-reg-cred \ --docker-username='dock_user' \ --docker-password='dock_password' \ --docker-server='myprivateregistry.com:5000' \ --docker-email='dock_user@myprivateregistry.com' ## deployment에 imagepullsecret 설정 $ k edit deploy web ... spec: containers: - image: myprivateregistry.com:5000/nginx:alpine imagePullPolicy: IfNotPresent name: nginx resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File imagePullSecrets: - name: private-reg-cred ...

Practice Test - Security Context

bash
## pod 내 컨테이너 run user 설정 $ k edit po ubuntu-sleeper apiVersion: v1 kind: Pod metadata: creationTimestamp: "2023-05-14T07:55:52Z" name: ubuntu-sleeper namespace: default resourceVersion: "860" uid: 5392c148-f7a2-460c-9b82-3a0c5b929b7b spec: containers: - command: - sleep - "4800" image: ubuntu securityContext: runAsUser: 1010 imagePullPolicy: Always ... ## pod 재생성 $ k replace -f /tmp/kubectl-edit-931779973.yaml --force

Pod 내 security contexts 확인

bash
apiVersion: v1 kind: Pod metadata: name: multi-pod spec: securityContext: runAsUser: 1001 containers: - image: ubuntu name: web command: ["sleep", "5000"] securityContext: runAsUser: 1002 - image: ubuntu name: sidecar command: ["sleep", "5000"]

Pod내 컨테이너 root 권한 실행 및 'SYS_TIME', 'NET_ADMIN' 권한 추가

bash
$ k edit po ubuntu-sleeper apiVersion: v1 kind: Pod metadata: creationTimestamp: "2023-05-14T08:02:51Z" name: ubuntu-sleeper namespace: default resourceVersion: "998" uid: 49cae197-cb32-4b29-824b-562a6a6d36e7 spec: containers: - command: - sleep - "4800" image: ubuntu imagePullPolicy: Always name: ubuntu resources: {} securityContext: runAsUser: 0 capabilities: add: ["SYS_TIME", "NET_ADMIN"] ... $ k replace -f /tmp/kubectl-edit-4046308418.yaml --force

Practice Test - Network Policy

bash
$ k get networkpolicy -A NAMESPACE NAME POD-SELECTOR AGE default payroll-policy name=payroll 66s ## network policy가 적용된 pod 확인 $ k get po -l name=payroll NAME READY STATUS RESTARTS AGE payroll 1/1 Running 0 2m30s $ k get networkpolicy payroll-policy -o yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"networking.k8s.io/v1","kind":"NetworkPolicy","metadata":{"annotations":{},"name":"payroll-policy","namespace":"default"},"spec":{"ingress":[{"from":[{"podSelector":{"matchLabels":{"name":"internal"}}}],"ports":[{"port":8080,"protocol":"TCP"}]}],"podSelector":{"matchLabels":{"name":"payroll"}},"policyTypes":["Ingress"]}} creationTimestamp: "2023-05-14T08:11:47Z" generation: 1 name: payroll-policy namespace: default resourceVersion: "3815" uid: 50ae1edd-a2a9-4bba-956d-a801bec0f2f6 spec: ingress: - from: - podSelector: matchLabels: name: internal ports: - port: 8080 protocol: TCP podSelector: matchLabels: name: payroll policyTypes: - Ingress status: {}

신규 network policy 생성

bash
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: internal-policy namespace: default spec: podSelector: matchLabels: name: internal policyTypes: - Egress egress: - to: - podSelector: matchLabels: name: payroll ports: - protocol: TCP port: 8080 - to: - podSelector: matchLabels: name: mysql ports: - protocol: TCP port: 3306

 

 

728x90

'기타 > 자격증' 카테고리의 다른 글

[CKA][실습] 8. Install  (0) 2023.06.19
[CKA][실습] 7. Storage  (0) 2023.06.12
[CKA][실습] 6. Security (3)  (1) 2023.05.11
[CKA][실습] 6. Security  (0) 2023.03.06
[CKA][실습] 5. Cluster Maintenance  (2) 2023.02.26