Security
1) View Certificate Details
2) Certificates API
3) KubeConfig
4) Role Based Access Controls
5) Cluster Roles
6) Service Accounts
7) Image Security
8) Security Contexts
9) Network Policies
01. How many ClusterRole exist on the cluster?
02. How many ClusterRoleBindings exist on the cluster?
ask : 54
Run the command:
kubectl get clusterrolebindings --no-headers | wc -l
or
kubectl get clusterrolebindings --no-headers -o json | jq '.items | length'
03. What namespace is the cluster-admin clusterrole part of?
1) kube-system
2) Cluster Roles are cluster wide and not part of any namespace
클러스터 역할은 클러스터 전체에 적용되며 네임스페이스의 일부가 아닙니다.
3) kube-public
4) default
04. What user/groups are the cluster-admin role bound to?
The ClusterRoleBinding for the role is with the same name.
1) system:nodes
2) kube-admin
3) cluster-admin
4) system:masters
kubectl describe clusterrolebinding cluster-admin
controlplane ~ ➜ kubectl describe clusterrolebinding cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters05. What level of permission does the cluster-admin role grant?
클러스터 관리자 역할은 어떤 수준의 권한을 부여합니까?
Inspect the cluster-admin role's privileges.
1) Node level tasks only
2) Security related tasks only
보안 관련 작업만
3) Pod level tasks only
포드 수준 작업만
4) Perform any action on any resource in the cluster
클러스터의 모든 리소스에 대해 작업 수행
kubectl describe clusterrole cluster-admin
controlplane ~ ✖ kubectl describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]06. A new user michelle joined the team.
새로운 사용자 michelle이 팀에 합류했습니다.
She will be focusing on the nodes in the cluster.
그녀는 클러스터의 노드에 집중할 것입니다.
Create the required ClusterRoles and ClusterRoleBindings so she gets access to the nodes.
그녀가 노드에 액세스할 수 있도록 필요한 ClusterRoles 및 ClusterRoleBindings를 만듭니다.
- Grant permission to list nodes
Use the command kubectl create to create a clusterrole and clusterrolebinding
for user michelle to grant access to the nodes.
After that test the access using the command
kubectl auth can-i list nodes --as michelle.
Solution manifest file to create a clusterrole and clusterrolebinding
for michelle user:
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: node-admin
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list", "create", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: michelle-binding
subjects:
- kind: User
name: michelle
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: node-admin
apiGroup: rbac.authorization.k8s.io
After save into a file, run the command
kubectl create -f <file-name>.yaml
to create a resources from definition file.controlplane ~ ➜ k auth can-i list nodes --as michelle
Warning: resource 'nodes' is not namespace scoped
yes
07. michelle's responsibilities are growing and now she will be responsible for storage as well.
Create the required ClusterRoles and ClusterRoleBindings to allow her access to Storage.
그녀가 저장소에 액세스할 수 있도록 필요한 ClusterRoles 및 ClusterRoleBindings를 만듭니다.
Get the API groups and resource names from command kubectl api-resources.
Use the given spec:
- ClusterRole: storage-admin
- Resource: persistentvolumes
- Resource: storageclasses
- ClusterRoleBinding: michelle-storage-admin
- ClusterRoleBinding Subject: michelle
- ClusterRoleBinding Role: storage-admin
Use the command kubectl create to create a new ClusterRole and ClusterRoleBinding.
Assign it correct resources and verbs.
After that test the access using the command
kubectl auth can-i list storageclasses --as michelle
Solution manifest file to create a clusterrole and clusterrolebinding
for michelle user:
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: storage-admin
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "watch", "list", "create", "delete"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "watch", "list", "create", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: michelle-storage-admin
subjects:
- kind: User
name: michelle
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: storage-admin
apiGroup: rbac.authorization.k8s.io
After save into a file, run the command
kubectl create -f <file-name>.yaml to create a resources from definition file.Bookmark
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Using RBAC Authorization
Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization. RBAC authorization uses the rbac.authorization.k8s.io API group to drive authorization decis
kubernetes.io
'CKA (Certified Kubernetes Administrator) > Kode Kloud' 카테고리의 다른 글
| 06.Security - Image Security (0) | 2022.01.27 |
|---|---|
| 06.Security - Service Accounts (0) | 2022.01.27 |
| 10.Troubleshooting - Application Failure (0) | 2022.01.26 |
| 06.Security - Role Based Access Controls (0) | 2022.01.25 |
| 06.Security - KubeConfig (0) | 2022.01.25 |