목차
Control plane
•
데이터가 통신하는데 그것에 대한 도움을 주거나, 정책을 매기거나, 권한을 할당하는 것
클러스터 요소
•
api
•
c-m
•
k-proxy
•
kubelete
•
sched
현재 적용된 인가(Authorization) 설정
[root@m-k8s 7.7]# k describe pod kube-apiserver-m-k8s -n kube-system | grep -i author -F4
kube-apiserver
--advertise-address=192.168.1.10
--allow-privileged=true
--authorization-mode=Node,RBAC
--client-ca-file=/etc/kubernetes/pki/ca.crt
--enable-admission-plugins=NodeRestriction
--enable-bootstrap-token-auth=true
YAML
복사
인가모드 | 설명 |
Node | 스케줄된 노드의 kubelet에서 인가를 결정함 |
ABAC | 속성 기반 접근제어 |
RBAC | 역할 기반 접근제어
정해진 룰 또는 사용자가 지정한 룰을 이용해서 인가를 제어함 |
Webhook | HTTP Post를 기반으로 페이로드 요청을 보고 인가를 제어함 |
RBAC(역할기반 접근제어)
•
c.role(ClusterRole)
•
role
•
rb(RoleBinding)
•
sa(ServiceAccount)
•
user
•
group
•
crb
컨텍스트(쿠버네티스 클러스터)로 구분된 구조
•
role-rb-sa < ns < 컨텍스트(cluster)
# dev1 namespace and account
apiVersion: v1
kind: Namespace
metadata:
name: dev1
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dev1-hoon
namespace: dev1
---
# dev2 namespace and account
apiVersion: v1
kind: Namespace
metadata:
name: dev2
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dev2-moon
namespace: dev2
########
[root@m-k8s 8.3]# k get namespaces
NAME STATUS AGE
default Active 27d
dev1 Active 36s
dev2 Active 36s
ingress-nginx Active 16d
kube-node-lease Active 27d
kube-public Active 27d
kube-system Active 27d
metallb-system Active 27d
[root@m-k8s 8.3]# k get serviceaccounts -n dev2
NAME SECRETS AGE
default 1 25s
dev2-moon 1 25s
[root@m-k8s 8.3]# k get serviceaccounts -n dev1
NAME SECRETS AGE
default 1 28s
dev1-hoon 1 28s
YAML
복사
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: dev1
name: role-get-dev1
rules:
- apiGroups: ["*"]
resources: ["pods", "deployments"]
verbs: ["get", "list"]
########
[root@m-k8s dev1]# k get role -n dev1
NAME CREATED AT
role-get-dev1 2022-12-05T13:06:15Z
[root@m-k8s dev1]# ^C
[root@m-k8s dev1]# k get role -n dev1 -o yaml
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"role-get-dev1","namespace":"dev1"},"rules":[{"apiGroups":["*"],"resources":["pods","deployments"],"verbs":["get","list"]}]}
creationTimestamp: "2022-12-05T13:06:15Z"
name: role-get-dev1
namespace: dev1
resourceVersion: "3483797"
uid: deb51e6c-cbbb-4287-999a-7a5bbd1604e0
rules:
- apiGroups:
- '*'
resources:
- pods
- deployments
verbs:
- get
- list
kind: List
metadata:
resourceVersion: ""
selfLink: ""
YAML
복사
[root@m-k8s dev1]# cat rolebidning-dev1.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rolebinding-dev1
namespace: dev1
subjects:
- kind: ServiceAccount
name: dev1-hoon
apiGroup: ""
roleRef:
kind: Role
name: role-get-dev1
apiGroup: rbac.authorization.k8s.io
########
[root@m-k8s dev1]# k get rolebindings.rbac.authorization.k8s.io -n dev1
NAME ROLE AGE
rolebinding-dev1 Role/role-get-dev1 9s
YAML
복사
컨텍스트가 ctx-dev1-hoon으로 생성됨.
[root@m-k8s dev1]# k config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
ctx-dev1-hoon kubernetes dev1-set-hoon
* kubernetes-admin@kubernetes kubernetes kubernetes-admin
[root@m-k8s dev1]# k config use-context ctx-dev1-hoon
Switched to context "ctx-dev1-hoon".
[root@m-k8s dev1]# k config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
YAML
복사
[root@m-k8s dev1]# k get po
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:dev1:dev1-hoon" cannot list resource "pods" in API group "" in the namespace "default"
[root@m-k8s dev1]# k get po
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:dev1:dev1-hoon" cannot list resource "pods" in API group "" in the namespace "default"
[root@m-k8s dev1]# ^C
[root@m-k8s dev1]# k get po -n dev1
No resources found in dev1 namespace.
[root@m-k8s dev1]# k get deployment -n dev1
No resources found in dev1 namespace.
[root@m-k8s dev1]# k get svc -n dev1
Error from server (Forbidden): services is forbidden: User "system:serviceaccount:dev1:dev1-hoon" cannot list resource "services" in API group "" in the namespace "dev1"
[root@m-k8s dev1]# k run nginx --image=nginx -n dev1
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:dev1:dev1-hoon" cannot create resource "pods" in API group "" in the namespace "dev1"
YAML
복사
[root@m-k8s 8.3]# k apply -f sa-pod-admin.yaml
serviceaccount/sa-pod-admin created
[root@m-k8s 8.3]# k get sa
NAME SECRETS AGE
default 1 27d
sa-pod-admin 1 4s
[root@m-k8s 8.3]#
[root@m-k8s cluster]# k apply -f clusterrole.yaml
clusterrole.rbac.authorization.k8s.io/pod-admin created
[root@m-k8s cluster]# k apply -f clusterrolebinding.yaml
clusterrolebinding.rbac.authorization.k8s.io/clusterrolebinding-pod-admin created
YAML
복사
컨텍스트 생성
[root@m-k8s cluster]# ./set-ctx-pod-admin.sh
sa-pod-admin of default Token: eyJhbGciOiJSUzI1NiIsImtpZCI6Ik5Ra09lM1NWTEpGV3dhOFZQaXNUWlZmcnRHNldXYUJzZHJ6SE4xUXNFd00ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InNhLXBvZC1hZG1pbi10b2tlbi1qdjhsNyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJzYS1wb2QtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwOTA3YzRiYy0wZDlmLTQ0ZDQtYmQ2YS0wYTllYTUzMWYxOTQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpzYS1wb2QtYWRtaW4ifQ.qDs7daqX91XJpaZfj2jXg-stYVWMRvjx24bcQj14lYNA5F0AuLnmLT9UEkq0r-KRpcLqrxdyjlXMe2KfbHLxAuuB25xMwQplet1mi-RcCEPnUlFXKhS0YGF96xsDZ0yxii52CrMbCpn11OeK84fvaizveXeVZAVAhiM8KnOMlYafPDJFmambDkjkYMjV9skJwNTdCIYkPiu5NHF0Y2vvaISufW6KBAKZrgmbxq2gij-HF3gjLDvoYP0RGWN8vNkrly-1oQb4B9k6CAPEicsjbKKK4W_C9rX-x9g0y7bRfj3cjO0WX_oE8eBCLv3pU1-tR9u_hbrzlX8-PT0h-KsNxA
User "set-pod-admin" set.
Context "ctx-pod-admin" created.
[root@m-k8s cluster]# k config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
ctx-dev1-hoon kubernetes dev1-set-hoon
ctx-pod-admin kubernetes set-pod-admin
* kubernetes-admin@kubernetes kubernetes kubernetes-admin
[root@m-k8s cluster]# k config use-context pod-admin
error: no context exists with the name: "pod-admin"
[root@m-k8s cluster]# k config use-context ctx-pod-admin
Switched to context "ctx-pod-admin".
[root@m-k8s cluster]#
YAML
복사
zjsxprtmxm dnjsqhr
[root@m-k8s cluster]# k get clusterrole pod-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"pod-admin"},"rules":[{"apiGroups":["*"],"resources":["pods","deployments","deployments/scale"],"verbs":["*"]}]}
creationTimestamp: "2022-12-05T13:21:17Z"
name: pod-admin
resourceVersion: "3485282"
uid: 0ce320ea-a0c1-4d0b-afb2-37d401ed355b
rules:
- apiGroups:
- '*'
resources:
- pods
- deployments
- deployments/scale
verbs:
- '*'
YAML
복사
Network Policy
[deny all]
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-deny-all
namespace: default
spec:
podSelector:
matchLabels: //레이블이 role: sensitive인 경우
role: sensitive
policyTypes: // deny all
- Ingress
- Egress
-----
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
role: sensitive
app: chk-info
name: deploy-deny-all
spec:
replicas: 3
selector:
matchLabels:
role: sensitive
app: chk-info
template:
metadata:
labels:
role: sensitive
app: chk-info
spec:
containers:
- image: sysnet4admin/chk-info
name: chk-info
---
apiVersion: v1
kind: Service
metadata:
labels:
app: chk-info
name: deploy-deny-all
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: chk-info
type: LoadBalancer
YAML
복사
[posdSelector]
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-podselector
namespace: default
spec:
podSelector:
matchLabels:
role: internal
policyTypes:
- Ingress
- Egress
ingress: // app: chk-info 레이블끼리만 통신
- from:
- podSelector:
matchLabels:
app: chk-info
egress: // app: chk-info 레이블끼리만 통신
- to:
- podSelector:
matchLabels:
app: chk-info
--------------
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
role: internal
app: chk-info
name: deploy-podselector-int-only
spec:
replicas: 3
selector:
matchLabels:
role: internal
app: chk-info
template:
metadata:
labels:
role: internal
app: chk-info
spec:
containers:
- image: sysnet4admin/chk-info
name: chk-info
YAML
복사
[IP Block]
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-ipblock
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
# 172.16.0.1 - 172.16.255.254
cidr: 172.16.0.0/16
egress:
- to:
- ipBlock:
# 172.16.0.1 - 172.16.127.254
cidr: 172.16.0.0/17
------------------
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-ipblock-except
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.16.0.0/16
# change your CIDR to shut it down
#except:
# - 172.16.n.n/24
egress:
- to:
- ipBlock:
cidr: 172.16.0.0/16
# change your CIDR to shut it down
#except:
# - 172.16.n.n/24
-----------------------
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: chk-info
name: deploy-ipblock
spec:
replicas: 3
selector:
matchLabels:
app: chk-info
template:
metadata:
labels:
app: chk-info
spec:
containers:
- image: sysnet4admin/chk-info
name: chk-info
YAML
복사
[namespaceSelector]
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-namespaceselector-dev2
namespace: dev2
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: dev2
egress:
- {}
--------------
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy-namespaceselector-dev2
namespace: dev2
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: dev2
egress:
- {}
YAML
복사