1947
Comment:
|
← Revision 4 as of 2021-10-23 00:03:52 ⇥
2045
|
Deletions are marked like this. | Additions are marked like this. |
Line 4: | Line 4: |
* config info {{Clusters: }} -> {{{ Contexts: }}} <- {{ Users: }}} | * config info {{{Clusters: }}} -> {{{ Contexts: (Namespace)}}} <- {{{ Users: }}} * kubectl config view * kubectl config use-context prod-user@production |
k8s/StudyNotes/ k8s-certs-security
- kubect uses $HOME/.kube/config for cert auth
config info Clusters: -> Contexts: (Namespace) <- Users:
- kubectl config view
- kubectl config use-context prod-user@production
- kube-apiserver at the center
- Who can access ? Authentication methods
Static PWD, CSV password123,user1,u0001,group1 kube-apiserver --basic-auth-file=user-details.csv
Auth with curl -v -k https://master-node-ip:6443/api/v1/pods -u "user1:password123"
Static Token, kube-apiserver --token-auth-file=user-details.csv
Auth with curl -v -k https://master-node-ip:6443/api/v1/pods --header "Authorization: Bearer KpjCViY"
- Cert
- SSO
- What can they do ? RBAC Auth , ABAC, Node, Webhook
- All components to kube-apiserver TLS authenticated.
- Who can access ? Authentication methods
k8s relies on external user administration, but it does ServiceAccounts for integration/bots
View certificates openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text
- k8s has Certificates API
User gen cert $ openssl genrsa -out jane.key 2048 then csr $ openssl req -new -key jane.key -subj "/CN=jane" -out jane.csr
- Admin receives csr and creates k8s obj
kubectl get csr jane.csr.yaml
apiVersion: certificate.k82.io/v1beta1 kind: CertificteSigningRequest metadata: name: jane spec: groups: - system:authenticated usages: - digital signature - key encipherment - server auth request: LS0dkjfjs<the base64 encode csr>pbnj NnhjosblablablablabnJ
Add cert object to k8s $ kubectl apply -f jane.csr.yaml
view with kubectl get csr
- kubectl certificate approve jane
kubectl certificates approve jane
kubectl get csr jane -o yaml then base64 -d the cert.