CKA 7: Security
For all hosts (master nodes and worker nodes)
- Root access should be disabled.
- Password based authentication should be disabled.
- Only SSH key based authentication should be enabled.
Control access to the kube-apiserver
1. who can access? Authentication
-- Username and password :
* Static password file user-details.csv
* It has 4 columns (1) password (2) user name (3) user id (4) group id is optional
* command like option --basic-auth-file to kube-api-server. If kubeadm is used then modify pod YAML for kube-apiserver
* curl command pass: -u "username:password"
* not recommended
-- Username and token : Static token file
* It has 4 columns (1) user-token (2) user name (3) user id (4) group id is optional
* command like option --token-auth-file to kube-api-server. If kubeadm is used then modify pod YAML for kube-apiserver
* curl command pass: --header "Authentication: Bearer TOKEN"
* not recommended
-- Certificates
* curl command pass: --key USER.key --cert USER.crt --cacert ca.crt
-- External authentication provider. E.g. LDAP : Identity service
-- Service accounts
2. what they can do? Authorization
-- RBAC
-- ABAC
-- Node Authorization
-- Webhook mode
TLS
If data is encrypted with public key, then decrypt with private key
If data is encrypted with private key, then decrypt with public key
ssh-keygen command generates id_rsa and id_rsa.pub key pairs
openssl genrsa -out filename.key 1024
openssl rsa -in filename.key -pubout > certificate.pem
if any certificate have .crt OR .pem extension then it has public key
Example: server.crt, server.pem, client.crt, client.pem
If a file has private key then it has extension as .key OR file name has -key
Example: server.key, server-pem.key, client.key, client-key.pem
TLS in K8s
Server: Client
1. kube-apiserver: /CN=kube-apiserver
(1) Other K8s components
(i) kube-scheduler /CN=system:kube-scheduler
(ii) Kube-controller-manager /CN=system:kube-controller-manager
(iii) kube-proxy /CN=system:kube-proxy
(2) external users kubectl /CN=admin/O=system:masters
All of the above use kubeconfig file
2. etcd server : kube-apiserver only /CN=etcd-server
3. kubelet services: Kube-apiserver user name = system:node:NODENAME group name = systems:nodes
K8s cluster may have dedicated CA for 'etcd' as server and 'kube-api server' as client.
Tools to generate certificates
easyrsa
openssl
cfssl
1. Create private key
openssl genrsa -out FILE.key 1024
2. CSR using openssl
openssl req -new -key FILE.key -subj "/CN=NAME" -out FILE.csr
openssl req -new -key FILE.key -subj "/CN=NAME/O=GROUP" -out FILE.csr
openssl req -new -key FILE.key -subj "/CN=NAME/O=GROUP" -out FILE.csr -config openssl.conf
Here openssl.conf will have multiple names that includes DNS and IP
Once the CSR file is generated, it can be view with command
openssl req -in FILE.csr -text --noout
3. Sign the request
openssl x509 -req -in FILE.csr -signkey FILE.key -out FILE.crt
Here, when FILE=CA then it is self-signed using root certificate.
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
Next for signed by CA, we need to pass both private key of CA ca.key and CA's self-signed certificate, that contains its public key.
openssl x509 -req -in FILE.csr -CA ca.crt -CAkey ca.key -out FILE.crt
View Certificates
openssl x509 -in CERT_FILE_WITH_PATH -text -noout
1. journalctl -u SERVICE_NAME -l
2. k logs POD_NAME
3. If kubctl is not working
docker ps -a
to find out container ID
then
docker logs CONTAINER_ID
Certificates API
1. Create private key
openssl genrsa -out FILE.key 1024
2. CSR using openssl
openssl req -new -key FILE.key -subj "/CN=NAME" -out FILE.csr
3. Create k8s object with YAML file. Kind = CertificateSigningRequest
4. cat FILE.CSR | base64
Use this output in "request:" field at YAML file.
5. k get csr
6. k certificate approve FILE
OR
k certificate deny FILE
7. k get csr FILE -o yaml
8. Extract content of "status->certificate"
9. echo CONTENT | base64 -decode
At master node, Controller-Manager performs all certificate related tasks. It has two controllers (1) CSR-Approving (2) CSR-Signing . The kube-controller-manager is passed with command line arguments "--cluster-signing-cert-file" it points to ca.crt and "--cluster-signing-key-file" it points to ca.key
Kubeconfig
k COMMAND --server K8S_MASTER_NODE:PORT --client-key admin.key --client-certificate admin.crt --certificate-authority ca.crt
k COMMAND --kubeconfig config
config file shall contain
--server K8S_MASTER_NODE:PORT
--client-key admin.key
--client-certificate admin.crt
--certificate-authority ca.crt
If we use curl command and invoke REST API
curl https://URL:6443/api/v1/pods --key admin.key --cert admin.cert --cacert ca.cert
If we use command
k proxy
then we can use curl command as per config file, at port 8001
- Root access should be disabled.
- Password based authentication should be disabled.
- Only SSH key based authentication should be enabled.
Control access to the kube-apiserver
1. who can access? Authentication
-- Username and password :
* Static password file user-details.csv
* It has 4 columns (1) password (2) user name (3) user id (4) group id is optional
* command like option --basic-auth-file to kube-api-server. If kubeadm is used then modify pod YAML for kube-apiserver
* curl command pass: -u "username:password"
* not recommended
-- Username and token : Static token file
* It has 4 columns (1) user-token (2) user name (3) user id (4) group id is optional
* command like option --token-auth-file to kube-api-server. If kubeadm is used then modify pod YAML for kube-apiserver
* curl command pass: --header "Authentication: Bearer TOKEN"
* not recommended
-- Certificates
* curl command pass: --key USER.key --cert USER.crt --cacert ca.crt
-- External authentication provider. E.g. LDAP : Identity service
-- Service accounts
2. what they can do? Authorization
-- RBAC
-- ABAC
-- Node Authorization
-- Webhook mode
TLS
If data is encrypted with public key, then decrypt with private key
If data is encrypted with private key, then decrypt with public key
ssh-keygen command generates id_rsa and id_rsa.pub key pairs
openssl genrsa -out filename.key 1024
openssl rsa -in filename.key -pubout > certificate.pem
if any certificate have .crt OR .pem extension then it has public key
Example: server.crt, server.pem, client.crt, client.pem
If a file has private key then it has extension as .key OR file name has -key
Example: server.key, server-pem.key, client.key, client-key.pem
TLS in K8s
Server: Client
1. kube-apiserver: /CN=kube-apiserver
(1) Other K8s components
(i) kube-scheduler /CN=system:kube-scheduler
(ii) Kube-controller-manager /CN=system:kube-controller-manager
(iii) kube-proxy /CN=system:kube-proxy
(2) external users kubectl /CN=admin/O=system:masters
All of the above use kubeconfig file
2. etcd server : kube-apiserver only /CN=etcd-server
3. kubelet services: Kube-apiserver user name = system:node:NODENAME group name = systems:nodes
K8s cluster may have dedicated CA for 'etcd' as server and 'kube-api server' as client.
Tools to generate certificates
easyrsa
openssl
cfssl
1. Create private key
openssl genrsa -out FILE.key 1024
2. CSR using openssl
openssl req -new -key FILE.key -subj "/CN=NAME" -out FILE.csr
openssl req -new -key FILE.key -subj "/CN=NAME/O=GROUP" -out FILE.csr
openssl req -new -key FILE.key -subj "/CN=NAME/O=GROUP" -out FILE.csr -config openssl.conf
Here openssl.conf will have multiple names that includes DNS and IP
Once the CSR file is generated, it can be view with command
openssl req -in FILE.csr -text --noout
3. Sign the request
openssl x509 -req -in FILE.csr -signkey FILE.key -out FILE.crt
Here, when FILE=CA then it is self-signed using root certificate.
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
Next for signed by CA, we need to pass both private key of CA ca.key and CA's self-signed certificate, that contains its public key.
openssl x509 -req -in FILE.csr -CA ca.crt -CAkey ca.key -out FILE.crt
View Certificates
openssl x509 -in CERT_FILE_WITH_PATH -text -noout
1. journalctl -u SERVICE_NAME -l
2. k logs POD_NAME
3. If kubctl is not working
docker ps -a
to find out container ID
then
docker logs CONTAINER_ID
Certificates API
1. Create private key
openssl genrsa -out FILE.key 1024
2. CSR using openssl
openssl req -new -key FILE.key -subj "/CN=NAME" -out FILE.csr
3. Create k8s object with YAML file. Kind = CertificateSigningRequest
4. cat FILE.CSR | base64
Use this output in "request:" field at YAML file.
5. k get csr
6. k certificate approve FILE
OR
k certificate deny FILE
7. k get csr FILE -o yaml
8. Extract content of "status->certificate"
9. echo CONTENT | base64 -decode
At master node, Controller-Manager performs all certificate related tasks. It has two controllers (1) CSR-Approving (2) CSR-Signing . The kube-controller-manager is passed with command line arguments "--cluster-signing-cert-file" it points to ca.crt and "--cluster-signing-key-file" it points to ca.key
Kubeconfig
k COMMAND --server K8S_MASTER_NODE:PORT --client-key admin.key --client-certificate admin.crt --certificate-authority ca.crt
k COMMAND --kubeconfig config
config file shall contain
--server K8S_MASTER_NODE:PORT
--client-key admin.key
--client-certificate admin.crt
--certificate-authority ca.crt
Default path for config file is ~/.kube
If config file is located at this path, then no need to specify --kubeconfig config
If we use curl command and invoke REST API
curl https://URL:6443/api/v1/pods --key admin.key --cert admin.cert --cacert ca.cert
If we use command
k proxy
then we can use curl command as per config file, at port 8001
config file has 3 sections
1. clusters
k config set-cluster CLUSTER_NAME
certificate-authority OR certificate-authority-data. content for certificate-authority-data is set using cat ca.crt | base64
k config set-cluster CLUSTER_NAME
certificate-authority OR certificate-authority-data. content for certificate-authority-data is set using cat ca.crt | base64
2. users
k config set-credentials USER
k config set-credentials USER
3. contexts = user@cluster + ns
k config set-context CONTEXT_NAME
4. current-context
k config use-context USER1@CLUSTER2 //it will change current-context in file.
Linke with this command
k COMMAND --server K8S_MASTER_NODE:PORT --client-key admin.key --client-certificate admin.crt --certificate-authority ca.crt
Here
--server K8S_MASTER_NODE:PORT //clusters section
--client-key admin.key //users section
--client-certificate admin.crt //users section
--certificate-authority ca.crt //clusters section
Kubectl commands
k config view // to view config file at default path ~/.kube
k config view --kubeconfig=CUSTOM_CONFIG_FILE_WITH_PATH
RBAC
k auth can-i VERB_ACTION RESOURCE_OBJECT
k auth can-i VERB_ACTION RESOURCE_OBJECT --as USER
k auth can-i VERB_ACTION RESOURCE_OBJECT --as USER --namespace NS
Image Security
If image name is xyz then it is xyz/xyz = user account/image name
Here default registry = docker.io
so xyz is docker.io/xyz/xyz
Google registry = gcr.io
K8s has default secret type with name docker-registry. it has keys
- doceker-server
- docker-username
- docker-password
- docker-email
in YAML we shall specify
imagePullSecrets:
- name: docker-registry
Also refer: http://layers7.blogspot.com/2020/04/ckad-6security.html
K8s Secret
at EncryptionConfiguration Kind we have providers
- identity : default. encryption = none
other options
- aescbc // secret is prefixed with k8s:enc:aescbc:v1:
- secretbox
- aesgcm
- kms //Key Management Service
32 byte key is generated with
head -c 32 /dev/urandom | base64
Set the --encryption-provider-config flag on the kube-apiserver to point to the location of the config file: YAML with kind = EncryptionConfiguration
to update all existing secrets
kubectl get secrets --all-namespaces -o json | kubectl replace -f -
k config set-context CONTEXT_NAME
4. current-context
k config use-context USER1@CLUSTER2 //it will change current-context in file.
Linke with this command
k COMMAND --server K8S_MASTER_NODE:PORT --client-key admin.key --client-certificate admin.crt --certificate-authority ca.crt
Here
--server K8S_MASTER_NODE:PORT //clusters section
--client-key admin.key //users section
--client-certificate admin.crt //users section
--certificate-authority ca.crt //clusters section
Kubectl commands
k config view // to view config file at default path ~/.kube
k config view --kubeconfig=CUSTOM_CONFIG_FILE_WITH_PATH
RBAC
k auth can-i VERB_ACTION RESOURCE_OBJECT
k auth can-i VERB_ACTION RESOURCE_OBJECT --as USER
k auth can-i VERB_ACTION RESOURCE_OBJECT --as USER --namespace NS
Image Security
If image name is xyz then it is xyz/xyz = user account/image name
Here default registry = docker.io
so xyz is docker.io/xyz/xyz
Google registry = gcr.io
K8s has default secret type with name docker-registry. it has keys
- doceker-server
- docker-username
- docker-password
- docker-email
in YAML we shall specify
imagePullSecrets:
- name: docker-registry
Also refer: http://layers7.blogspot.com/2020/04/ckad-6security.html
K8s Secret
at EncryptionConfiguration Kind we have providers
- identity : default. encryption = none
other options
- aescbc // secret is prefixed with k8s:enc:aescbc:v1:
- secretbox
- aesgcm
- kms //Key Management Service
32 byte key is generated with
head -c 32 /dev/urandom | base64
Set the --encryption-provider-config flag on the kube-apiserver to point to the location of the config file: YAML with kind = EncryptionConfiguration
to update all existing secrets
kubectl get secrets --all-namespaces -o json | kubectl replace -f -
0 comments:
Post a Comment