Term
|
Definition
- CA
- openssl genrsa -out ca.key 2048
- openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr
- openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
- servers/clients
- openssl genrsa -out srv_or_clnt.key 2048
- openssl req -new -key srv_or_clnt.key -subj "/CN=SRV_OR_CLNT/O=group" -out srv_or_clnt.csr
- openssl x509 -req -in srv_or_clnt.csr -CA ca.crt -out srv_or_clnt.crt
- System components that must begin with /CN=system:component_name
- Kube-Scheduler
- Kube-Controller-Manager
- Kube-Proxy
- Details stored in kube-config.yaml |
|
|
Term
|
Definition
- Need config file (openssl.conf) to specify all names
- DNS.1 = kubernetes
- DNS.2 = kubernetes.default
- DNS.3 = kubernetes.default.svc
- DNS.4 = kubernetes.default.svc.cluster.local
- IP.1 = X.X.X.X
- IP.2 = Y.Y.Y.Y
- openssl req -new -key apiserver.key -sub "/CN=kube-apiserver" -out apiserver.csr -config openssl.cnf |
|
|
Term
|
Definition
- Server certs named after nodes
- "/CN=node01"
- Client certs named after nodes and contain group
- "/CN=system:node:node01/O=SYSTEM:NODES |
|
|
Term
|
Definition
- Manually (as a service)
- /etc/systemd/system/kube-apiserver.service
- view logs: journalctl -u srv_name.service -l
- kubeadm (as a pod)
- /etc/kubernetes/manifests/kube-apiserver.yaml
- view logs:
- kubectl logs pod_name
- docker ps -a (along with) docker logs "container ID" |
|
|
Term
|
Definition
- openssl x509 -in blah.crt -text -noout
- Issuer
- Validity (Not After)
- Subject
- Subj Alt Name |
|
|
Term
|
Definition
apiVersion: certificates.k8s.io/v1bet1
kind: CertificateSigningRequest
metadata:
name:
spec:
groups:
- system:authenticated
usages:
- digital signature
- key encipherment
- server auth
request:
****base64 user csr***** |
|
|
Term
|
Definition
- kubectl get csr
- kubectl get csr "name" -o yaml
- kubectl certificate approve jane
- kubectl certificate deny jane |
|
|
Term
|
Definition
- done by kube-controller-manager
- crt & key locations in kube-controller-manager.yaml |
|
|
Term
|
Definition
- $HOME/.kube/config
- kubectl config view (--kubeconfig=my-config)
- kubectl config use-context new_user@new_context
- will change current-context in config file
- apiVersion: v1
kind: Config
current-context: admin@cluster-name
clusters:
- name: cluster-name
cluster:
certificate-authority: ca.crt
certificate-authority-data: "optional base64 crt"
server: https://....
contexts:
- name: admin@cluster-name
context:
cluster: cluster-name
user: admin
namespace: (optional)
users:
- name: admin
user:
client-certificate: admin.crt
client-key: admin.key |
|
|
Term
|
Definition
- kubectl proxy
- uses credential in KubeConfig file
- curl http://localhost:8001 -k
- to list apis |
|
|
Term
|
Definition
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
rules:
- apiGroups: [""] ----> blank is "core"
resources: ["pods"]
verbs: ["list", "get", "create", "update", "delete"]
resourceNames: ["pod1_name", "pod2_name"] ---> optional |
|
|
Term
RoleBinding Yaml
(bind user to role) |
|
Definition
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: devuser-binding
subjects:
- kind: User
name: dev-user
apiGroup: rbac.authoriztion.k8s.io
roleRef:
kind: Role
name: developer --->from role yaml
apiGroup: rbac.authorization.k8s.io |
|
|
Term
| Kubectl roles & role bindings |
|
Definition
- kubectl get roles
- kubectl get rolebindings
- kubectl describe role|rolebinding "name"
- to check access
- kubectl auth can-i create deployments (--as "user") |
|
|
Term
| View namespaced & cluster resources |
|
Definition
- kubectl api-resources
- kubectl api-resources --namespaced=true
- kubectl api-resources --namespaced=false |
|
|
Term
|
Definition
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-admin-role
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list","get","create","delete"] |
|
|
Term
|
Definition
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-role-binding
subjects:
- kind: User
name: cluster-admin
apiGroup: rbac.authoriztion.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin-role --->from role yaml
apiGroup: rbac.authorization.k8s.io |
|
|
Term
| kubectl clusterroles & clusterrolebindings |
|
Definition
- kubectl get clusterroles
- kubectl get clusterrolebindings
- kubectl describe clusterrole|clusterrolebinding "name"
- to check access
- kubectl auth can-i create deployments (--as "user") |
|
|
Term
|
Definition
- image: docker.io/user_account/image_repo
- image: nginx --> docker.io/nginx/nginx
- image: private-registry.io/apps/internal-app |
|
|
Term
|
Definition
- kubectl create secret docker-registry regcred
- --docker-server=private-registry.io
- --docker-username=u
- --docker-password=pw
- --docker-email=u@org.com
- spec:
containers:
- name: app
image: private-rgistry.io/apps/internal-app
imagePullSecrets:
- name: regcred |
|
|
Term
| pod & container security yaml |
|
Definition
- For Pods
- spec:
securityContext:
runAsUser: 1000
- For Containers in Pod
- spec:
containers:
securityContext:
runAsUser:
capabilities:
add: ["MAC_ADMIN"] |
|
|
Term
|
Definition
- Pods
spec:
labels:
role: db
- Network Policy
apiVersion: network.k8s.io/v1
kind: NetworkPolicy
metadata:
name: db-policy
spec:
podSelector:
matchLabels:
role: db --entire policy applies to this node with this label
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
name: api-pod --allow only ingress from this node with this label
ports:
- protocol: TCP
port: 3306 |
|
|
