[CKA] 6일차 - Security
- advanced/Devops
- 2022. 8. 19.
security overview
Authentication
누가 접근할 수 있는가
- Files - Username and Passwords
- Files - Username and Tokens
- Certificates
- External Authentication providers - LDAP
- Service Accounts
Authorization
그들은 무엇을 할 수 있는가?
- RBAC Authorization
- ABAC Authorization
- Node Authorization
- Webhook Mode
Accounts
kubectl create serviceaccount sa1
kubectl get serviceaccount
CERTIFICATE AUTHORITY(CA)
- generate keys
openssl genrsa -out ca.key 2048- certificate signing request
openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr- sign certificates
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
ADMIN USER
- generate keys
openssl genrsa -out admin.key 2048- certificate signing request
openssl req -new -key admin.key -subj "/CN=kube-admin" -out admin.csr- sign certificates
openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -out admin.crt
만약에 admin user가 그룹을 가지게 하려면
CSR에 다음과 같이 넣어서 요청하면 됨
group name: "system:master"
- certificate signing request
openssl req -new -key admin.key -subj "/CN=kube-admin/O=system:masters" -out admin.csr
'advanced > Devops' 카테고리의 다른 글
| [CKA] 8일차 - Storage (0) | 2022.08.21 |
|---|---|
| [CKA] 7일차 - security (2) (config file, Authorization) (0) | 2022.08.20 |
| [CKA] 5일차 - 클러스터 관리 2(백업 및 복구) (0) | 2022.08.16 |
| [CKA] 5일차 - 클러스터 관리 (0) | 2022.08.16 |
| [CKA] 4일차 - Application Life Cycle (0) | 2022.08.15 |