Security
1) View Certificate Details
2) Certificates API
3) KubeConfig
4) Role Based Access Controls
5) Cluster Roles
6) Service Accounts
7) Image Security
8) Security Contexts
9) Network Policies
01. Where is the default kubeconfig file located in the current environment?
Find the current home directory by looking at the HOME environment variable.
1) /root/.kube/config
2) /root/,kube/kubeconfig
3) /root/kubeconfig
4) /home/packer/.kube/config
Use the command ls -a and look for the kube config file under /root/.kube.
02. How many clusters are defined in the default kubeconfig file?
ask : 1
root@controlplane:~/.kube# cat config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1ERXlOVEEzTVRjeU5sb1hEVE15TURFeU16QTNNVGN5Tmxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTjlXCnM3UC9KWE5hMDVEeDBwMlZWUHppcm1raW1GK3BCVVNYUmNQd2E1RVQ2WlJZcjdnb2ZPeHNaL0s3cEZNeWdyV1IKNllCdHFJMkN0VmhkODlUVVJQZDdLeS82WGxXUW4vUjVBOWxKM0R4OVViZi9DNk03TUpxVTg5Nm5qR1ZuaXVKYQphZVF1Nlh2cmtJRUEvbW9kd21pbXdIUGNHRTlMS3UxT01CWWJ4aGdRakgrZlZtTGdjeVEzWVBPNUlsOEpLd1h4ClBsU0tvNFowTGtkTVBmTnpYa2R1eHlxdjAreThqVjNzVER1MEt4WVVLMkRqSnc2aW1EYVRMZnlmTDlFVjBhK3YKY0hSM2g5cXBHYWc5dTdyVXNuR3V4TVRNa1B2MXJiZ2Y4QXBuY0xNTzhCSmxjcWQ1NU9PbWQ5TmpodHdCVUgvWApOanhDQUp2VTRNSjRNMDlidTBzQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZDNUtGazNIcmJEcW16S3BZWXorL1B0YjNCVHdNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCV0F3Z1pBNldXRWVWRXdYU2xHZ0E4Y05xaVZweXZIQzlRUkJWZk45aEc0cWlKT2p0eAo5WUx1T2dKV1p0QWEwWWxFSlF6SkFvWHloRHVPdXo5TkFIWkFZOThkNUJaSEFWcFZtNDFtb0hkSHN2c2R5TzU3CmNsVUxpZ1dVbE9wYW1NWVF5eE5aejNVQTA5cTlEcVZOclROdGNqRUZjVysyREZoWXFrMERrSWRlRFNIUkl1U3AKeUFRSnA3NUMvdnBCeEV5SGZUVFZYYVZNV3E2bTVMSC81OXBRQ09CRW5xYmZnZVpHYmpvS2ZheVJucGhyS1RuNwpENkVqcVZOanRIZkQ3Z1lhYXRIYm44d0gwVXlWT3pmRDNpTkJIbWVZV2RxcjdxcjVFb08xT3VHeEdrZFE5cjM4CkxQVzFiRHVMZlZ0cm9FZHBhUEs2QXJzSDh0RGlDdk1JL2txSwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://controlplane:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lJZEo5djJHYnUxRTB3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBeE1qVXdOekUzTWpaYUZ3MHlNekF4TWpVd056RTNNamhhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTBwaEFSODRiamZWVFM5OUEKQUJoTUMyUzg0U0V1Q0Z1MGY0Rnd1YUdSOTFGdGZOalhUcWs5cFZER1BzWEpMOG9MbjFNWFlLNHlJS2svV0F6UApoOUJVc3RmbEptZ0IwNGgyU1I0UW9YM3NZZk9YNW94aHcvd2E4dGpNYzJQYk42bkFhYXB0ekl3Nkx3MGk5WG83CjBML0NXdFM5cGgzUC9EaHg3T21JakwyNnRJRWhIZC9jT1RWM2F3SzhEZkpaN3drZGZSdkhCOWhodjdVb0VEb2EKTS9abmlOZFBUREZsbFRUdjBSZ2lDd1AyVDdMdUl1YmovSC9YYk41b3dDbW5nWk44anJybkJnZVhmMnduOEdQcAowd2RZTjBSUGt6M21jcUdyS2RENDJkc05EUGlLY2FIVVNnT2MzdXhnMmtaY3RMc053WWNRQ21RRXJ5ZzlpR08zCkVDY2RnUUlEQVFBQm8wZ3dSakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0h3WURWUjBqQkJnd0ZvQVVMa29XVGNldHNPcWJNcWxoalA3OCsxdmNGUEF3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFENGNacXFWeENRbVRyaEo0VG1NVkN2WnlleU5idzNSMHdteEtFMFNLYi9INjViM042MWFoNysvCmJBWmFuY21meW1iR2g2RnhyY25aZ2hpMldYQ0dxT3J5eFE2cEJpNG5vRW1nQzhQUDRPYll6blo5dTdZdVRDbEgKMlJFKzhoYU9PSStzU3J5T24yYUkwa3RoV09qTm5WSDkvV2EybTBiTGEvcGp0RUQ4amVuelRjeGRqZE5JZzhZcQpIR2I3bWlQb0tSQWNNYm9OUXVPVSt3THFhRytQZEprMVFhU2YrcFMyWWZlQ3BTL3A5bXdnYlZSMVdHcnMzYnNlCm9rblB1R3ljeE5YeGNLQytpL0FISk5LeXNpcUxHM2ljOXcrM1JMdklmaVdMVldmaWpSMVRzVVVMV0gycTQ5ak8KenluVjYyYnlubGhpcjJ2NjhQRk10ZDJIQS9wWUFyUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcGdJQkFBS0NBUUVBMHBoQVI4NGJqZlZUUzk5QUFCaE1DMlM4NFNFdUNGdTBmNEZ3dWFHUjkxRnRmTmpYClRxazlwVkRHUHNYSkw4b0xuMU1YWUs0eUlLay9XQXpQaDlCVXN0ZmxKbWdCMDRoMlNSNFFvWDNzWWZPWDVveGgKdy93YTh0ak1jMlBiTjZuQWFhcHR6SXc2THcwaTlYbzcwTC9DV3RTOXBoM1AvRGh4N09tSWpMMjZ0SUVoSGQvYwpPVFYzYXdLOERmSlo3d2tkZlJ2SEI5aGh2N1VvRURvYU0vWm5pTmRQVERGbGxUVHYwUmdpQ3dQMlQ3THVJdWJqCi9IL1hiTjVvd0NtbmdaTjhqcnJuQmdlWGYyd244R1BwMHdkWU4wUlBrejNtY3FHcktkRDQyZHNORFBpS2NhSFUKU2dPYzN1eGcya1pjdExzTndZY1FDbVFFcnlnOWlHTzNFQ2NkZ1FJREFRQUJBb0lCQVFDS3cxVi91dGcvSnNvMgo4U2lycDFiY0h3bXgwZm9SK2RNcVBQRTQ3N1JOWVRNaWs0THpTdUxhdmltU2pTS3V3WlA4N0hRMytUQUFnMlRBCnNOaENKa3pZOXhiL3dvS0pqcDVhT1Z3OS9NbzRGSmtmaVpxVjE5VXQ5UnBxWWY2OVk3WHNLaWRsSTNUbk1lRzYKSEV1emxkY0xvS2hCLzl6ZTFaYUR3N0Y5QXpzMTJib2J3U2habEtXOUlMbEpVRGFEcEZ0RzF5WGI1dGIxWWxZbwpFcFpacXJRYXFEbXpWaGRKMUZMTnkzZHRoOHhqL3hGZ21QZzFzUU1kYW9Bb1g5MG9DbFZGUFNPUUxSTmxPZWZOCkFneWpCWXZiUmt6dFZ0ek9vUFVwejlpR2lUV242L0kwZ1NkbUExUGdLUmlQS2JYMWU0aTE4Sk5PZXozekR0MCsKOWFTN3oraFJBb0dCQU95d3l2cUw1eHNSUDlleHlacjBnek1DaW9ITlN1c1dVOTJ3QTJLOWVQMk1HblFtVDY3VQo1YlZJNktoMEU4c050UDg2M3lKRlNRZEJWN1lrU1lDaWxRVmx4ZWFtSkpZSUhOTDBVL2MyaWduaVpkMnV2WFNsCjFnQnFqc3IyTC9rQUlLd3Fkekdjd1JIcmpoOU9xY3VZQnEvQlpmblk4bGxGUlpTNHUzSTg2L2w5QW9HQkFPUEcKZEZUeWxYQk04UkNWcDRYWlRVb280cWxKRzdhQjloZXhWbW1jaC8zTFhYOTFURUkrWFVaZE5EZGI3cy9XM1pZZwpjbzR3YzUxU0lKa0tnaldpREhGRkZBbDloN21WaVVyYWpvR2JQTTZuMmcwRSsrSENGeTByajlOWngwNjd0SnkyCjl5ZXdLcGxsR2h6RDBOanhsZDE2bmdMdEMrUUR6VWZDdS81MXZSTlZBb0dCQU16b3JZRkUxem5lc0JlckNpK0YKV1lReXdmaG40MkVzdmtSaEdqMUViVmVNRUdiWHVBcFNzOTlERkhDcHRXMElHOWNPZjVocXhUTnJ4V1NoZTZUSwpuQnJGSmhSdFo2VWZ0dHlHdTU1ODcvcG9ydW5CV3JGKzFJc2R0U3RQQU84ZnhpbG14alFFVWoyU1lVTUhWZ1kxClFpeXNVUDJCYlNZTnk1UmFiYVVUeXZMOUFvR0JBS3ZvNFc0bnRLQVFnalRKTHFtMzZ6eVloUkhOYXN3aFpGSlgKZHVlNHkyN0NhV3ZFWk96dVVzbkRtS0JiazI5c05NdVU2OERqVXE4ZkNCbFp0Qkswbm4xeTdIK0pMY0hrMmIwVQpIVkEya1B0TDlpZXpaa1Bxa0VGNFNsSHl4WmxuMUJZZmhZUi8wbmI1dG02VlgvQU16ZFplTUJuM1BPMDM3VnhHCjNrcGNKSHNOQW9HQkFMTSs2WU81RkFSTmJLZ0xxTmdmbEVHWVlOZHZLM1U5ckU2ZGZEU0JuaWtUem1tS0VlNFUKOHVFNzFGMGxyWDJXenJDWUFNMTA5SVFjRExwLzRsaDlQK2trUWhLMlhETTc4WUZ6eTFDSTJpNUt2REtKNjFpOQo0akdEZ2xXcjAwZzFBbGpTZGUvcUQ0MFoxWXZjZTBNSzZRK21ZRTAvNmUwZmxiM3pKU0RWUFd0WAotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=03. How many Users are defined in the default kubeconfig file?
ask : 1
04. How many contexts are defined in the default kubeconfig file?
ask : 1
05. What is the user configured in the current context?
ask : kubernetes-admin
06. What is the name of the cluster configured in the default kubeconfig file?
ask : kubernetes
07. A new kubeconfig file named my-kube-config is created.
It is placed in the /root directory. How many clusters are defined in that kubeconfig file?
ask : 4
root@controlplane:~# cat my-kube-config
apiVersion: v1
kind: Config
clusters:
- name: production
cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://controlplane:6443
- name: development
cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://controlplane:6443
- name: kubernetes-on-aws
cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://controlplane:6443
- name: test-cluster-1
cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt
server: https://controlplane:6443
contexts:
- name: test-user@development
context:
cluster: development
user: test-user
- name: aws-user@kubernetes-on-aws
context:
cluster: kubernetes-on-aws
user: aws-user
- name: test-user@production
context:
cluster: production
user: test-user
- name: research
context:
cluster: test-cluster-1
user: dev-user
users:
- name: test-user
user:
client-certificate: /etc/kubernetes/pki/users/test-user/test-user.crt
client-key: /etc/kubernetes/pki/users/test-user/test-user.key
- name: dev-user
user:
client-certificate: /etc/kubernetes/pki/users/dev-user/developer-user.crt
client-key: /etc/kubernetes/pki/users/dev-user/dev-user.key
- name: aws-user
user:
client-certificate: /etc/kubernetes/pki/users/aws-user/aws-user.crt
client-key: /etc/kubernetes/pki/users/aws-user/aws-user.key
current-context: test-user@development
preferences: {}
08. How many contexts are configured in the my-kube-config file?
ask : 4
09. What user is configured in the research context?
ask : dev-user
10. What is the name of the client-certificate file configured for the aws-user?
ask : aws-user.crt
11. What is the current context set to in the my-kube-config file?
my-kube-config 파일에 설정된 현재 컨텍스트는 무엇입니까?
ask : test-user@development
12. I would like to use the dev-user to access test-cluster-1.
dev-user를 사용하여 test-cluster-1에 액세스하고 싶습니다.
Set the current context to the right one so I can do that.
내가 할 수 있도록 현재 컨텍스트를 올바른 컨텍스트로 설정하십시오.
Once the right context is identified, use the kubectl config use-context command.
- Current context set
To use that context, run the command:
kubectl config --kubeconfig=/root/my-kube-config use-context research
To know the current context, run the command:
kubectl config --kubeconfig=/root/my-kube-config current-context
root@controlplane:~# kubectl config --kubeconfig=/root/my-kube-config use-context research
Switched to context "research".
root@controlplane:~# kubectl config --kubeconfig=/root/my-kube-config current-context
research
13. We don't want to have to specify the kubeconfig file option on each command.
각 명령에 kubeconfig 파일 옵션을 지정하고 싶지 않습니다.
Make the my-kube-config file the default kubeconfig.
- Default kubeconfig file configured
Replace the contents in the default kubeconfig file with the content from my-kube-config file.
39 cd .kube/
40 ls
41 mv config config_bak
42 cd ..
43 ls
44 cp my-kube-config ~/.kube/config
45 kubectl config view
14. With the current-context set toresearch, we are trying to access the cluster.
However something seems to be wrong. Identify and fix the issue.
Try running the kubectl get pods command and look for the error.
All users certificates are stored at /etc/kubernetes/pki/users.
- Issue fixed
root@controlplane:~# k get pod
error: unable to read client-cert /etc/kubernetes/pki/users/dev-user/developer-user.crt for dev-user due to open /etc/kubernetes/pki/users/dev-user/developer-user.crt: no such file or directory
The path to certificate is incorrect in the kubeconfig file.
Correct the certificate name which is available at /etc/kubernetes/pki/users/.
cd /root/.kube
vi config
# - name: dev-user
# user:
# client-certificate: /etc/kubernetes/pki/users/dev-user/developer-user.crt
# developer-user.crt > dev-user.crtBookmark
https://kubernetes.io/ko/docs/concepts/configuration/organize-cluster-access-kubeconfig/
kubeconfig 파일을 사용하여 클러스터 접근 구성하기
kubeconfig 파일들을 사용하여 클러스터, 사용자, 네임스페이스 및 인증 메커니즘에 대한 정보를 관리하자. kubectl 커맨드라인 툴은 kubeconfig 파일을 사용하여 클러스터의 선택과 클러스터의 API 서버
kubernetes.io
'CKA (Certified Kubernetes Administrator) > Kode Kloud' 카테고리의 다른 글
| 10.Troubleshooting - Application Failure (0) | 2022.01.26 |
|---|---|
| 06.Security - Role Based Access Controls (0) | 2022.01.25 |
| 07.Storage - Storage Class (0) | 2022.01.25 |
| 07.Storage - Persistent Volume Claims (0) | 2022.01.25 |
| 06.Security - View Certificate Details (0) | 2022.01.24 |