CKA (Certified Kubernetes Administrator)/Kode Kloud

06.Security - Image Security

seulseul 2022. 1. 27. 13:52

 

06.Security

1) View Certificate Details
2) Certificates API
3) KubeConfig
4) Role Based Access Controls
5) Cluster Roles
6) Service Accounts
7) Image Security
8) Security Contexts
9) Network Policies

 

01. What is the secret type we choose for the docker registry?

 

1) tls

2) docker-registry

3) generic

4) registry

kubectl create secret --help

root@controlplane:/.kube# kubectl create secret --help
Create a secret using specified subcommand.

Available Commands:
  docker-registry Create a secret for use with a Docker registry
  generic         Create a secret from a local file, directory or literal value
  tls             Create a TLS secret

Usage:
  kubectl create secret [flags] [options]

Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).

 

02. We have an application running on our cluster. Let us explore it first. What image is the application using?

클러스터에서 실행 중인 애플리케이션이 있습니다. 먼저 살펴보겠습니다. 응용 프로그램은 어떤 이미지를 사용하고 있습니까?

1) nginx:alpine

2) webapp

3) nginx

4) busybox

k describe pod/web-bd975bd87-69ks9 | grep -i image

root@controlplane:/.kube# k describe pod/web-bd975bd87-69ks9 | grep -i image
    Image:          nginx:alpine
    Image ID:       docker-pullable://nginx@sha256:da9c94bec1da829ebd52431a84502ec471c8e548ffb2cedbf36260fd9bd1d4d3
  Normal  Pulled     11m   kubelet            Container image "nginx:alpine" already present on machine

 

03. We decided to use a modified version of the application from an internal private registry.

Update the image of the deployment to use a new image from myprivateregistry.com:5000


The registry is located at myprivateregistry.com:5000.

Don't worry about the credentials for now.

We will configure them in the upcoming steps.

 

우리는 내부 개인 레지스트리에서 수정된 버전의 애플리케이션을 사용하기로 결정했습니다.

myprivateregistry.com:5000에서 새 이미지를 사용하도록 배포 이미지를 업데이트합니다.


레지스트리는 myprivateregistry.com:5000에 있습니다.

지금은 자격 증명에 대해 걱정하지 마십시오.

다음 단계에서 구성할 것입니다.
 
  • Use Image from private registry
Use the kubectl edit deployment command to edit the 

image name to myprivateregistry.com:5000/nginx:alpine.

 

04. Are the new PODs created with the new images successfully running?

ask : NO 

root@controlplane:/.kube# k get pod
NAME                   READY   STATUS             RESTARTS   AGE
web-85fcf65896-qgc8c   0/1     ImagePullBackOff   0          25s
web-bd975bd87-69ks9    1/1     Running            0          19m
web-bd975bd87-9nrll    1/1     Running            0          19m

 

05. Create a secret object with the credentials required to access the registry.

Name: private-reg-cred
Username: dock_user
Password: dock_password
Server: myprivateregistry.com:5000
Email: dock_user@myprivateregistry.com


  • Secret: private-reg-cred
  • Secret Type: docker-registry
  • Secret Data
kubectl create secret docker-registry private-reg-cred \
--docker-server=myprivateregistry.com:5000 \
--docker-username=dock_user \
--docker-password=dock_password \
--docker-email=dock_user@myprivateregistry.com


root@controlplane:/.kube# kubectl create secret docker-registry private-reg-cred \
> --docker-server=myprivateregistry.com:5000 \
> --docker-username=dock_user \
> --docker-password=dock_password \
> --docker-email=dock_user@myprivateregistry.com
secret/private-reg-cred created

root@controlplane:/.kube# k get secret
NAME                  TYPE                                  DATA   AGE
default-token-rkcjr   kubernetes.io/service-account-token   3      33m
private-reg-cred      kubernetes.io/dockerconfigjson        1      19s

 

06. Configure the deployment to use credentials from the new secret to pull images from the private registry

새 비밀의 자격 증명을 사용하여 비공개 레지스트리에서 이미지를 가져오도록 배포를 구성합니다.


  • Image Pull Secret: private-reg-cred
Edit deployment using
kubectl edit deploy web 

command and add imagePullSecrets section. Use private-reg-cred.

apiVersion: v1
kind: Deployment
metadata:
  name: web
spec:
  containers:
  - name: web
    image: <your-private-image>

  # spec 하위에 있으면 됨.
  
  imagePullSecrets:
  - name: private-reg-cred

 

07. Check the status of PODs. Wait for them to be running.

You have now successfully configured a Deployment to pull images from the private registry.

이제 비공개 레지스트리에서 이미지를 가져오도록 배포를 성공적으로 구성했습니다.

 

ask : OK

 

Bookmark

 

https://kubernetes.io/ko/docs/tasks/configure-pod-container/pull-image-private-registry/

 

프라이빗 레지스트리에서 이미지 받아오기

이 페이지는 프라이빗 도커 레지스트리나 리포지터리로부터 이미지를 받아오기 위해 시크릿(Secret)을 사용하는 파드를 생성하는 방법을 보여준다. 시작하기 전에 쿠버네티스 클러스터가 필요하

kubernetes.io

 

저작자표시

'CKA (Certified Kubernetes Administrator) > Kode Kloud' 카테고리의 다른 글

06.Security - Network Policies  (0) 2022.01.27
06.Security - Security Contexts  (0) 2022.01.27
06.Security - Service Accounts  (0) 2022.01.27
06. Security - ClusterRoles  (0) 2022.01.26
10.Troubleshooting - Application Failure  (0) 2022.01.26

'CKA (Certified Kubernetes Administrator)/Kode Kloud'의 다른글

  • 현재글06.Security - Image Security

관련글

티스토리툴바