06.Security
1) View Certificate Details
2) Certificates API
3) KubeConfig
4) Role Based Access Controls
5) Cluster Roles
6) Service Accounts
7) Image Security
8) Security Contexts
9) Network Policies
01. How many network policies do you see in the environment?
We have deployed few web applications, services and network policies.
Inspect the environment.
ask : 1
root@controlplane:~# k get networkpolicies
NAME POD-SELECTOR AGE
payroll-policy name=payroll 3m33s
02. What is the name of the Network Policy?
ask : payroll-policy
03. Which pod is the Network Policy applied on?
ask : payroll
root@controlplane:~# k get networkpolicies
NAME POD-SELECTOR AGE
payroll-policy name=payroll 3m33s
root@controlplane:~# k describe networkpolicies
Name: payroll-policy
Namespace: default
Created on: 2022-01-27 05:42:50 +0000 UTC
Labels: <none>
Annotations: <none>
Spec:
PodSelector: name=payroll
Allowing ingress traffic:
To Port: 8080/TCP
From:
PodSelector: name=internal
Not affecting egress traffic
Policy Types: Ingress
# pod 의 레이블이 payroll 인것 검색
root@controlplane:~# k get pod -l name=payroll
NAME READY STATUS RESTARTS AGE
payroll 1/1 Running 0 7m41s
04. What type of traffic is this Network Policy configured to handle?
1) Both Ingress and Egress
2) Egress
3) None
4) Ingress
05. What is the impact of the rule configured on this Network Policy?
1) Traffic From Internal to Payroll POD is allowed
2) Traffic To and From Internal POD is Blocked
3) Traffic To and From Payroll POD is Blocked
4) Traffic From Internal to Payroll POD is blocked
06. What is the impact of the rule configured on this Network Policy?
1) External POD can ping Payroll POD
2) Internal POD can ping Payroll POD
3) External POD can access port 8080 on Payroll POD
4) Internal POD can access port 8080 on Payroll POD
07. Access the UI of these applications using the link given above the terminal.
Ok
08. Perform a connectivity test using the User Interface
in these Applications to access the payroll-service at port 8080.
1) Only Internal application can access payroll service
2) Both internal and external applications can access payroll service
09. Perform a connectivity test using the User Interface of the Internal Application
to access theexternal-serviceat port 8080.
내부 애플리케이션의 사용자 인터페이스를 사용하여 연결 테스트 수행 포트 8080에서 외부 서비스에 액세스합니다.
ask : Successful
10. Create a network policy to allow traffic from the Internal application only to the payroll-service and db-service.
Use the spec given on the below. You might want to enable ingress traffic to the pod to test your rules in the UI.
아래에 주어진 사양을 사용하십시오. UI에서 규칙을 테스트하기 위해 포드에 대한 수신 트래픽을 활성화할 수 있습니다.
- Policy Name: internal-policy
- Policy Type: Egress
- Egress Allow: payroll
- Payroll Port: 8080
- Egress Allow: mysql
- MySQL Port: 3306
Solution manifest file for a network policy internal-policy as follows:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: internal-policy
namespace: default
spec:
podSelector:
matchLabels:
name: internal
policyTypes:
- Egress
- Ingress
ingress:
- {}
egress:
- to:
- podSelector:
matchLabels:
name: mysql
ports:
- protocol: TCP
port: 3306
- to:
- podSelector:
matchLabels:
name: payroll
ports:
- protocol: TCP
port: 8080
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
Note: We have also allowed Egress traffic to TCP and UDP port.
This has been added to ensure that the internal DNS resolution works
from the internal pod.
Remember: The kube-dns service is exposed on port 53:
root@controlplane:~# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 93m
root@controlplane:~#https://kubernetes.io/docs/concepts/services-networking/network-policies/
Network Policies
If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kubernetes NetworkPolicies for particular applications in your cluster. NetworkPolicies are an application-centric construct which allow y
kubernetes.io
https://kubernetes.io/ko/docs/tasks/administer-cluster/declare-network-policy/
네트워크 폴리시(Network Policy) 선언하기
이 문서는 사용자가 쿠버네티스 네트워크폴리시 API를 사용하여 파드(Pod)가 서로 통신하는 방법을 제어하는 네트워크 폴리시를 선언하는데 도움을 준다. 참고: 이 섹션은 쿠버네티스에 필요한
kubernetes.io
'CKA (Certified Kubernetes Administrator) > Kode Kloud' 카테고리의 다른 글
| 07. Networking - CNI weave (0) | 2022.01.27 |
|---|---|
| 08. Networking - Explore Environment (0) | 2022.01.27 |
| 06.Security - Security Contexts (0) | 2022.01.27 |
| 06.Security - Image Security (0) | 2022.01.27 |
| 06.Security - Service Accounts (0) | 2022.01.27 |