06.Security
1) View Certificate Details
2) Certificates API
3) KubeConfig
4) Role Based Access Controls
5) Cluster Roles
6) Service Accounts
7) Image Security
8) Security Contexts
9) Network Policies
01. What is the user used to execute the sleep process within the ubuntu-sleeper pod?
ubuntu-sleeper 포드 내에서 절전 프로세스를 실행하는 데 사용되는 사용자는 무엇입니까?
In the current(default) namespace.
1) root
2) user1
3) user2
4) test-user
5) my-user
controlplane ~ ✖ k exec ubuntu-sleeper -- whoami
root
# 나는..맞는 풀이 방식인지 모르겠지만...
k describe pod ubuntu-sleeper
securityContext: {}
# securityContext 가 비어있길래 root 구나 했음 ㅎㅎㅎ
02. Edit the pod ubuntu-sleeper to run the sleep process with user ID 1010.
Note: Only make the necessary changes.
Do not modify the name or image of the pod.
- Pod Name: ubuntu-sleeper
- Image Name: ubuntu
- SecurityContext: User 1010
--
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-sleeper
namespace: default
spec:
securityContext:
runAsUser: 1010
containers:
- command:
- sleep
- "4800"
image: ubuntu
imagePullPolicy: Always
name: ubuntu
To delete the existing ubuntu-sleeper pod:
$ kubectl delete po ubuntu-sleeper
After that apply solution manifest file to run as user 1010 as follows:
---
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-sleeper
namespace: default
spec:
securityContext:
runAsUser: 1010
containers:
- command:
- sleep
- "4800"
image: ubuntu
name: ubuntu-sleeper
Then run the command kubectl apply -f <file-name>.yaml to create a resource.
NOTE: TO delete the pod faster, you can run kubectl delete pod ubuntu-sleeper --force. This can be done for any pod in the lab or the actual exam. It is not recommended to run this in Production, so keep a note of that.03. A Pod definition file named multi-pod.yaml is given.
With what user are the processes in the web container started?
The pod is created with multiple containers and security contexts defined at the Pod and Container level.
| multi-pod.yaml이라는 Pod 정의 파일이 제공됩니다. 웹 컨테이너의 프로세스는 어떤 사용자로 시작됩니까? 포드는 포드 및 컨테이너 수준에서 정의된 여러 컨테이너 및 보안 컨텍스트로 생성됩니다. |
# multi-pod.yaml
--
apiVersion: v1
kind: Pod
metadata:
name: multi-pod
spec:
securityContext:
runAsUser: 1001
containers:
- image: ubuntu
name: web
command: ["sleep", "5000"]
securityContext:
runAsUser: 1002
- image: ubuntu
name: sidecar
command: ["sleep", "5000"]1) 1000
2) 1002
3) 1001
4) root
04. With what user are the processes in the sidecar container started?
사이드카 컨테이너의 프로세스는 어떤 사용자로 시작됩니까?
The pod is created with multiple containers and security contexts defined at the Pod and Container level.
포드는 포드 및 컨테이너 수준에서 정의된 여러 컨테이너 및 보안 컨텍스트로 생성됩니다.
1) 1001
2) 1000
3) root
4) 1002
The User ID defined in the securityContext of the POD is carried over to all the PODs in the container.
POD의 securityContext에 정의된 사용자 ID는 컨테이너의 모든 POD로 전달됩니다.
controlplane ~ ➜ k exec -it multi-pod -c sidecar -- sh
$ ls
bin dev home lib32 libx32 mnt proc run srv tmp var
boot etc lib lib64 media opt root sbin sys usr
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
1001 1 0.0 0.0 2508 596 ? Ss 05:27 0:00 sleep 5000
1001 85 0.0 0.0 2608 540 pts/0 Ss 05:28 0:00 sh
1001 92 0.0 0.0 5896 2932 pts/0 R+ 05:28 0:00 ps aux
05. Update pod ubuntu-sleeper to run as Root user and with the SYS_TIME capability.
Note: Only make the necessary changes. Do not modify the name of the pod.
- Pod Name: ubuntu-sleeper
- Image Name: ubuntu
- SecurityContext: Capability SYS_TIME
Add SYS_TIME capability to the container's Security Context.
To delete the existing pod:
$ kubectl delete po ubuntu-sleeper
After that apply solution manifest file to add capabilities in ubuntu-sleeper pod:
---
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-sleeper
namespace: default
spec:
containers:
- command:
- sleep
- "4800"
image: ubuntu
name: ubuntu-sleeper
securityContext:
capabilities:
add: ["SYS_TIME"]
then run the command kubectl apply -f <file-name>.yaml to create a pod from given definition file.
06. Now update the pod to also make use of the NET_ADMIN capability.
Note: Only make the necessary changes. Do not modify the name of the pod.
- Pod Name: ubuntu-sleeper
- Image Name: ubuntu
- SecurityContext: Capability SYS_TIME
- SecurityContext: Capability NET_ADMIN
To delete the existing pod:
$ kubectl delete po ubuntu-sleeper
After that apply solution manifest file to add capabilities in ubuntu-sleeper pod:
---
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-sleeper
namespace: default
spec:
containers:
- command:
- sleep
- "4800"
image: ubuntu
name: ubuntu-sleeper
securityContext:
capabilities:
add: ["SYS_TIME", "NET_ADMIN"]
then run the command kubectl apply -f <file-name>.yaml to create a pod from given definition file.https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
Configure a Security Context for a Pod or Container
A security context defines privilege and access control settings for a Pod or Container. Security context settings include, but are not limited to: Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and gro
kubernetes.io
특정 image가 실행되고나서 설정되는 유저를 정의하는 방법
예시. 특정 image가 실행되고 root유저로 실행될것인지, 아니면 지정한 특정 유저로 실행될것인지
context security는 spec구조체 아래에 설정되거나, Containers구조체 아래에도 설정이 될수있음.
다만, 우선순위는 containers구조체 아래에있는 지정유저가 높게 설정됨.
즉, spec밑에도 설정하고, containers밑에도 설정했을때, containers밑에있는 유저로 image가 실행됨.
# 특정 팟에서 명령을 수행하는 유저 조회
kubectl exec [pod 이름] -- whoami
'CKA (Certified Kubernetes Administrator) > Kode Kloud' 카테고리의 다른 글
| 08. Networking - Explore Environment (0) | 2022.01.27 |
|---|---|
| 06.Security - Network Policies (0) | 2022.01.27 |
| 06.Security - Image Security (0) | 2022.01.27 |
| 06.Security - Service Accounts (0) | 2022.01.27 |
| 06. Security - ClusterRoles (0) | 2022.01.26 |