CKAD : 6.Security
Authentication
- X.509 client cert
- static token
- bearer or bootstrap token
- static password file
- service account
- OpenID connect tokens
Kube API server options
- basic-auth-file
- oidc-issuer-url
- token-auth-file
- authorization-webhook-config-file
Authorization
Kube API server option -authorization-mode
Values
- ABAC (API server additional option: - authorization-policy-file="file_name.json")
- RBAC
- Webhook
- AlwaysAllow
- AlwaysDeny
Authorization policy has user, group, namespace, verb (=operation)
Role = Many rules
Rule =
+ apiGroups
+ resources
+ resourceName
+ verb (= operation)
RoleBinding maps (1) role and
2.1 Service Account OR
2.2 User Account (mapped with context) OR
2.3 Group
The service account can be associated with pod or with deployment using serviceAccountName
It mounts a secret with name "service account name - token - random" at path
/var/run/secrets/kubernetes.io/serviceaccount path. This path has 3 files.
1. ca.cert
2. namespace
3. token
All files stored secrets in plain text format
The values are stored at etcd in base64 encoded format
we can very with command
base64 -d "file name"
echo "plain text" | base64
securityContext
Mapped with pod or containers inside pod. E.g.
- UID of process
- Linux capabilities (for containers)
- filesystem group
securityContext is cluster level rules
It can present at container level or pod level or both level.
If both are defined then securityContext at container level will override securityContext of container level.
If we have pod level securityContext about runAsUser then nginx container is not able to start. This container want to create a path /var/cache/nginx/client_temp it is possible with runAsUser 1 by default.
PodSecurityPolicieis (PSP) automate enforcement of securityContext.
To enable PSP, configure admission-controller of the controller manager to have PSP.
Network Policies
supported by CNI plugins: Calico, Romana, Cilium, Kube-router, WeaveNet
With network policy, all pod can communicate with all pods. So with network policy, let forbid communication from all pod to all pod and the allow as per requirement
- based on namespaceSelector
- based on podSelector (matchLabels)
- to IP address + port
- from IP address + port
The policyTypes are Ingress and Egress.
For WeveNet CNI plugin, we shall add annotation of network policy name at namespace. The flannel CNI plugin does not honor network policy
The Calico CNI shall be installed. Download latest calico.yaml file. Then install by command
k create -f calico.yaml
While starting minikube pass this additional flag
--extra-config=kubelet.network-plugin=cni --network-pugin=cni
We can add whitelist as below.
- ipBlock:
cidr: 192.168.0.0/16
ports:
- port: 80
Allow all ingress traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-ingress
spec:
podSelector: {}
ingress:
- {}
policyTypes:
- Ingress
Allow all egress traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-egress
spec:
podSelector: {}
egress:
- {}
policyTypes:
- Egress
Deny all ingress traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
Deny all egress traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
spec:
podSelector: {}
policyTypes:
- Egress
All policies are add / union. So there is no chance of conflict.
Whitelist can be keep growing.
Capabilities:
We can run this command inside container
grep Cap /proc/1/status
CapInh: 00000000a80425fb
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
The capability can be decoded with
capsh --decode=00000000a80425fb
Capability can be added under securityContext
capabilities:
add: ["NET_ADMIN", "SYS_TIME", "MAC_ADMIN"]
References:
https://github.com/kelseyhightower/kubernetes-the-hard-way
https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/
https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
https://kubernetes.io/docs/reference/access-authn-authz/abac/#examples
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
https://github.com/kubernetes/examples/blob/master/staging/podsecuritypolicy/rbac/README.md
https://github.com/ahmetb/kubernetes-network-policy-recipes
https://kubernetes.io/docs/concepts/services-networking/network-policies/
- X.509 client cert
- static token
- bearer or bootstrap token
- static password file
- service account
- OpenID connect tokens
Kube API server options
- basic-auth-file
- oidc-issuer-url
- token-auth-file
- authorization-webhook-config-file
Authorization
Kube API server option -authorization-mode
Values
- ABAC (API server additional option: - authorization-policy-file="file_name.json")
- RBAC
- Webhook
- AlwaysAllow
- AlwaysDeny
Authorization policy has user, group, namespace, verb (=operation)
Role = Many rules
Rule =
+ apiGroups
+ resources
+ resourceName
+ verb (= operation)
RoleBinding maps (1) role and
2.1 Service Account OR
2.2 User Account (mapped with context) OR
2.3 Group
The service account can be associated with pod or with deployment using serviceAccountName
It mounts a secret with name "service account name - token - random" at path
/var/run/secrets/kubernetes.io/serviceaccount path. This path has 3 files.
1. ca.cert
2. namespace
3. token
All files stored secrets in plain text format
The values are stored at etcd in base64 encoded format
we can very with command
base64 -d "file name"
echo "plain text" | base64
securityContext
Mapped with pod or containers inside pod. E.g.
- UID of process
- Linux capabilities (for containers)
- filesystem group
securityContext is cluster level rules
It can present at container level or pod level or both level.
If both are defined then securityContext at container level will override securityContext of container level.
If we have pod level securityContext about runAsUser then nginx container is not able to start. This container want to create a path /var/cache/nginx/client_temp it is possible with runAsUser 1 by default.
PodSecurityPolicieis (PSP) automate enforcement of securityContext.
To enable PSP, configure admission-controller of the controller manager to have PSP.
Network Policies
supported by CNI plugins: Calico, Romana, Cilium, Kube-router, WeaveNet
With network policy, all pod can communicate with all pods. So with network policy, let forbid communication from all pod to all pod and the allow as per requirement
- based on namespaceSelector
- based on podSelector (matchLabels)
- to IP address + port
- from IP address + port
The policyTypes are Ingress and Egress.
For WeveNet CNI plugin, we shall add annotation of network policy name at namespace. The flannel CNI plugin does not honor network policy
The Calico CNI shall be installed. Download latest calico.yaml file. Then install by command
k create -f calico.yaml
While starting minikube pass this additional flag
--extra-config=kubelet.network-plugin=cni --network-pugin=cni
We can add whitelist as below.
ingress:
- from:
- ipBlock:
cidr: 192.168.0.0/16
ports:
- port: 80
protocol: TCP
Allow all ingress traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-ingress
spec:
podSelector: {}
ingress:
- {}
policyTypes:
- Ingress
Allow all egress traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-egress
spec:
podSelector: {}
egress:
- {}
policyTypes:
- Egress
Deny all ingress traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
Deny all egress traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
spec:
podSelector: {}
policyTypes:
- Egress
Whitelist can be keep growing.
Capabilities:
We can run this command inside container
grep Cap /proc/1/status
CapInh: 00000000a80425fb
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
The capability can be decoded with
capsh --decode=00000000a80425fb
Capability can be added under securityContext
capabilities:
add: ["NET_ADMIN", "SYS_TIME", "MAC_ADMIN"]
References:
https://github.com/kelseyhightower/kubernetes-the-hard-way
https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/
https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
https://kubernetes.io/docs/reference/access-authn-authz/abac/#examples
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
https://github.com/kubernetes/examples/blob/master/staging/podsecuritypolicy/rbac/README.md
https://github.com/ahmetb/kubernetes-network-policy-recipes
https://kubernetes.io/docs/concepts/services-networking/network-policies/
0 comments:
Post a Comment