config file
kubectl get pods --kubeconfig config
$HOME/.kube/config
config 파일은 세 가지 항목으로 구성되어 있음
- clusters
- contexts
- users
config.yaml 예시
apiVersion: v1
kind: Config
clusters:
- name: my-kube-playground
cluster:
certificate-authority: ca.crt
server: https://my-kube-playground:6443
contexts:
- name: my-kube-admin@my-kube-playground
context:
cluster: my-kube-playground
user: my-kube-admin
(namespace: finance)
users:
- name: my-kube-admin
user:
client-certificate: admin.crt
client-key: admin.keykubectl config view
kubectl config view --kubeconfig=my-custom-config
컨텍스트 바꾸는 명령어
kubectl config use-context prod-user@production================
Authorization
Authorization Mode
NODE, ABAC, RBAC, WEB Hook, AlwaysAllow, AlwaysDeny
처리 순서
- NODE: only no request만 처리함
- RBAC
- WEBHOOK
RBAC(Rule Based Access Control)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "get", "create", "update", "delete"]
- apiGroups: [""]
resources: ["ConfigMap"]
verbs: ["create"]
(resourceNames: ["blue", "orange"] # namespaces)유저와 Role을 연결
devuser-developer-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: devuser-developer-binding
subjects:
- kind: User
name: dev-user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: developer
apiGroup: rbac.authorization.k8s.ioapiGroups, resources, verbs
세 가지로 나누어짐
kubectl get roles
kubectl get rolebindings
Check Access
kubectl auth can-i create deployments
kubectl auth can-i delete nodes
로그인 없이 다른 유저에 대해서 체크해볼 수 있음
kubectl auth can-i create deployments --as dev-user
kubectl auth can-i delete nodes --as dev-user
kubernetes의 api-resource보기(단축키 확인)
k api-resources
service account
user account와는 다르게 기계가 사용하는 계정임
예를 들어서 jenkins 등...
kubectl create serviceaccount dashboard-sa
private repository 사용하기
docker login private-registry.io
docker run private-registry.io/apps/internal-app
kubectl create secret docker-registry regcred \
--docker-server= private-registry.io \
--docker-username=registry-user \
--docker-password=registry-password \
--docker-email=registry-user@org.comnginx-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod
spec:
containers:
- name: nginx
image: private-registry.io/apps/ineternal-app
imagePullSecrets:
- name: regredsecurity context
pod level
apiVersion: v1
kind: Pod
metadata:
name: web-pod
spec:
securityContext:
runAsUser: 1000
containers:
- name: ubuntu
image: ubuntu
command: ["sleep", "3600"]container level
apiVersion: v1
kind: Pod
metadata:
name: web-pod
spec:
containers:
- name: ubuntu
image: ubuntu
command: ["sleep", "3600"]
securityContext:
runAsUser: 1000
capabilities:
add: ["MAC_ADMIN"]Network Policy
apiVersion: entworking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: db-policy
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
name: api-pod
ports:
- protocol: TCP
port: 3306여러 가지 Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: db-policy
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
name: api-pod
namespaceSelector:
matchLabels:
name: prod
- ipBlock:
cidr: 192.168.5.10/32
ports:
- protocol: TCP
port: 3306egress도 동일함
- from에서 to로 변경되는 것 외에는 동일
'advanced > Devops' 카테고리의 다른 글
| [CKA] 9일차 - Storage (2) PV, PVC, SC (0) | 2022.08.22 |
|---|---|
| [CKA] 8일차 - Storage (0) | 2022.08.21 |
| [CKA] 6일차 - Security (0) | 2022.08.19 |
| [CKA] 5일차 - 클러스터 관리 2(백업 및 복구) (0) | 2022.08.16 |
| [CKA] 5일차 - 클러스터 관리 (0) | 2022.08.16 |