CKA 7: Security


For all hosts (master nodes and worker nodes)
- Root access should be disabled.
- Password based authentication should be disabled.
- Only SSH key based authentication should be enabled.

Control access to the kube-apiserver
1. who can access? Authentication 

-- Username and password :

* Static password file user-details.csv
* It has 4 columns (1) password (2) user name (3) user id (4) group id is optional
* command like option --basic-auth-file to kube-api-server. If kubeadm is used then modify pod YAML for kube-apiserver
* curl command pass:  -u "username:password"
* not recommended

-- Username and token : Static token file
* It has 4 columns (1) user-token (2) user name (3) user id (4) group id is optional
* command like option --token-auth-file to kube-api-server. If kubeadm is used then modify pod YAML for kube-apiserver
* curl command pass:  --header "Authentication: Bearer TOKEN"
* not recommended

-- Certificates
* curl command pass:  --key USER.key --cert USER.crt --cacert ca.crt

-- External authentication provider. E.g. LDAP : Identity service
-- Service accounts

2. what they can do? Authorization
-- RBAC
-- ABAC
-- Node Authorization
-- Webhook mode

TLS

If data is encrypted with public key, then decrypt with private key
If data is encrypted with private key, then decrypt with public key

ssh-keygen command generates id_rsa and id_rsa.pub key pairs
openssl genrsa -out filename.key 1024
openssl rsa -in filename.key -pubout > certificate.pem

if any certificate have .crt OR .pem extension then it has public key
Example: server.crt, server.pem, client.crt, client.pem
If a file has private key then it has extension as .key OR file name has -key
Example: server.key, server-pem.key, client.key, client-key.pem

TLS in K8s

Server: Client


1. kube-apiserver:  /CN=kube-apiserver
(1) Other K8s components 
(i) kube-scheduler  /CN=system:kube-scheduler
(ii) Kube-controller-manager /CN=system:kube-controller-manager
(iii) kube-proxy /CN=system:kube-proxy
(2) external users kubectl /CN=admin/O=system:masters

All of the above use kubeconfig file

2. etcd server : kube-apiserver only  /CN=etcd-server
3. kubelet services: Kube-apiserver user name  = system:node:NODENAME group name = systems:nodes

K8s cluster may have dedicated CA for 'etcd' as server and 'kube-api server' as client. 

Tools to generate certificates

easyrsa
openssl
cfssl

1. Create private key
openssl genrsa -out FILE.key 1024
2. CSR using openssl
openssl req -new -key FILE.key -subj "/CN=NAME" -out FILE.csr
openssl req -new -key FILE.key -subj "/CN=NAME/O=GROUP" -out FILE.csr
openssl req -new -key FILE.key -subj "/CN=NAME/O=GROUP" -out FILE.csr -config openssl.conf
Here openssl.conf will have multiple names that includes DNS and IP

Once the CSR file is generated, it can be view with command

openssl req -in FILE.csr  -text --noout

3. Sign the request
openssl x509 -req -in FILE.csr -signkey FILE.key -out FILE.crt

Here, when FILE=CA then it is self-signed using root certificate. 

openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

Next for signed by CA, we need to pass both private key of CA ca.key and CA's self-signed certificate, that contains its public key. 
openssl x509 -req -in FILE.csr -CA ca.crt -CAkey ca.key -out FILE.crt

View Certificates

openssl x509 -in CERT_FILE_WITH_PATH -text -noout

1. journalctl -u SERVICE_NAME -l
2. k logs POD_NAME
3. If kubctl is not working
docker ps -a
to find out container ID
then
docker logs CONTAINER_ID

Certificates API

1. Create private key
openssl genrsa -out FILE.key 1024
 2. CSR using openssl
openssl req -new -key FILE.key -subj "/CN=NAME" -out FILE.csr
3. Create k8s object with YAML file. Kind = CertificateSigningRequest
4. cat FILE.CSR | base64
Use this output in "request:" field at YAML file. 
5. k get csr
6. k certificate approve FILE
OR
k certificate deny FILE
7. k get csr FILE -o yaml
8. Extract content of "status->certificate"
9. echo CONTENT | base64 -decode

At master node, Controller-Manager performs all certificate related tasks. It has two controllers (1) CSR-Approving (2) CSR-Signing . The kube-controller-manager is passed with command line arguments "--cluster-signing-cert-file" it points to ca.crt and "--cluster-signing-key-file" it points to ca.key

Kubeconfig

k COMMAND --server K8S_MASTER_NODE:PORT --client-key admin.key --client-certificate admin.crt --certificate-authority ca.crt

k COMMAND --kubeconfig config
config file shall contain
--server K8S_MASTER_NODE:PORT 
--client-key admin.key 
--client-certificate admin.crt 
--certificate-authority ca.crt
Default path for config file is ~/.kube
If config file is located at this path, then no need to specify --kubeconfig config

If we use curl command and invoke REST API
curl https://URL:6443/api/v1/pods --key admin.key --cert admin.cert --cacert ca.cert

If we use command
k proxy

then we can use curl command as per config file, at port 8001

config file has 3 sections

1. clusters
k config set-cluster CLUSTER_NAME
certificate-authority OR certificate-authority-data. content for certificate-authority-data is set using cat ca.crt | base64
2. users
k config set-credentials USER
3. contexts = user@cluster + ns
k config set-context CONTEXT_NAME
4. current-context 
k config use-context USER1@CLUSTER2 //it will change  current-context in file. 

Linke with this command
k COMMAND --server K8S_MASTER_NODE:PORT --client-key admin.key --client-certificate admin.crt --certificate-authority ca.crt

Here
--server K8S_MASTER_NODE:PORT //clusters section 
--client-key admin.key //users section
--client-certificate admin.crt //users section

--certificate-authority ca.crt //clusters section

Kubectl commands
k config view // to view config file at default path ~/.kube
k config view --kubeconfig=CUSTOM_CONFIG_FILE_WITH_PATH


RBAC

k auth can-i VERB_ACTION RESOURCE_OBJECT
k auth can-i VERB_ACTION RESOURCE_OBJECT --as USER
k auth can-i VERB_ACTION RESOURCE_OBJECT --as USER --namespace NS

Image Security

If image name is xyz then it is xyz/xyz = user account/image name
Here default registry = docker.io
so xyz is docker.io/xyz/xyz

Google registry = gcr.io

K8s has default secret type with name docker-registry. it has keys
- doceker-server
- docker-username
- docker-password
- docker-email

in YAML we shall specify
imagePullSecrets: 
- name: docker-registry

Also refer: http://layers7.blogspot.com/2020/04/ckad-6security.html

K8s Secret 

at EncryptionConfiguration Kind we have providers
- identity : default. encryption = none
other options
- aescbc // secret is prefixed with k8s:enc:aescbc:v1:
- secretbox
- aesgcm
- kms //Key Management Service

32 byte key is generated with
head -c 32 /dev/urandom | base64
Set the --encryption-provider-config flag on the kube-apiserver to point to the location of the config file: YAML with kind = EncryptionConfiguration 

to update all existing secrets

kubectl get secrets --all-namespaces -o json | kubectl replace -f -

0 comments:

Post a Comment