Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to configure Kubernetes cluster security. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

These two days in combing the security configuration of the Kubernetes cluster, involving the configuration of various components, and finally decided to draw a diagram to show, it should be clearer.

The following configurations are involved:

Other components are used as client. When accessing kube-apiserver, the configuration of each component can be found in the black line in the figure:

-* * kube-apiserver** ```

-secure-port=443-client_ca_file=/var/run/kubernetes/dd_ca.crt-tls-private-key-file=/var/run/kubernetes/dd_server.key ```

Kube-controller-manager

```--kubeconfig=/etc/kubernetes/cmkubeconfig apiVersion: v1 kind: Config users-name: controllermanager user: client-certificate: / var/run/kubernetes/dd_cs_client.crt client-key: / var/run/kubernetes/dd_cs_client.key clusters:-name: local cluster: certificate-authority: / var/run/kubernetes/dd_ca.crt contexts:-context: cluster: local user: controllermanager name: my-context current-context: my-context```

The security configuration for kube-scheduler kube-scheduler to access apiserver is the same as kube-controller-manager.

Kubelet

Kubeconfig=/var/lib/kubelet/kubeconfig apiVersion: v1 kind: Config users:-name: kubelet user: client-certificats: / home/dd_kubelet_client.crt client-key: / home/dd_kubelet_client.key clusters:-name: local cluster: certificate-authority: / home/dd_ca. Crt contexts:-context: cluster: local user: kubelet name: my-context current-context: my-context

Kube-proxy

-- kubeconfig=/var/lib/kubeproxy/proxykubeconfig apiVersion: v1 kind: Config users:-name: kubeproxy user: client-certificate: / home/dd_kubelet_client.crt client-key: / home/dd_kubelet_client.key clusters:-name: local cluster: certificate-authority: / home/dd_ca .crt contexts:-context: cluster: local user: kubeproxy name: my-context current-context: my-context

Kube-apiserver is used as client. For the configuration when accessing kubelet server, refer to the configuration corresponding to the green line in the figure:

Kube-apiserver

-kubelet-https--kubelet-certificate-authority=/var/run/kubelet/kubelet-ca.crt-kubelet-client-certificate=/var/run/kubelet/apiserver-kubelet.crt--kubelet-client-key=/var/run/kubelet/apiserver-kubelet.key

Kubelet

-- client-ca-file=/var/run/kubelet/kubelet_ca.crt--tls-private-key-file=/var/run/kubelet/server.key--tls-cert-file string=/var/run/kubelet/server.crt

Pod accesses kube-apiserver and provides Token through ServiceAccount. For the configuration involved, see the content corresponding to the pink line.

Each namespace has a default ServiceAccount. If Pod.Spec.serivceAccountName is not set, this defaults to default ServiceAccount. In the configuration in the figure above, a custom Pod.Spec.serivceAccountName:build-rebot is specified for Pod. AutomountServiceAccountToken: true means that the token,ca.crt,namespace defined by Secret in this ServiceAccount is automatically mounted to the following corresponding directory in each container of Pod:

ServiceAccount Admission Make Sure Secret Volume Mounted:

Pod.Spec

/ var/run/secrets/kubernetes.io/serviceaccount/token / var/run/secrets/kubernetes.io/serviceaccount/ca.crt / var/run/secrets/kubernetes.io/serviceaccount/namespace ```

-* * kube-controller-manager** ```--root-ca-file=/var/run/kubernetes/dd_ca.crt-- service-account-private-key-file=/var/run/kubernetes/dd_server.key```

In this way, applications in Pod can access apiserver in the following two ways:

-add kubectl proxy container. For example, see [kubectl-container] (https://github.com/kubernetes/kubernetes/tree/master/examples/kubectl-container/)- use the Go client library, and create a client using the rest.InClusterConfig () and kubernetes.NewForConfig () functions.) They handle locating and authenticating to the apiserver. [example] (https://github.com/kubernetes/client-go/blob/master/examples/in-cluster/main.go)

4. Kube-apiserver is used as client. Access the corresponding configuration of etcd through TLS. See the blue line in the figure.

-* * kube-apiserver** ```--kubelet-https-- kubelet-certificate-authority=/var/run/kubelet/etcd-ca.crt-- kubelet-client-certificate=/var/run/kubelet/etcd-kubelet.crt-- kubelet-client-key=/var/run/kubelet/etcd-kubelet.key```-* * etcd** ```--client-cert-auth-- trusted-ca-file=/etc/ssl/etcd/ Etcd-ca.crt-cert-file=/etc/ssl/etcd/server.crt-key-file=/etc/ssl/etcd/server.key ```

Authentication Config of apiserver:

The corresponding file format of token-auth-file is:

````token1,user1,uid1, "group1,group2,group3" token2,user2,uid2, "group1,group2" ```

The corresponding file format of basic-auth-file is as follows:

````password1,user1,uid1, "group1,group2,group3" password2,user2,uid2, "group1,group2,group3" ```

The following three flag of kube-apiserver represent the x509 client certs, static token and static password authentication methods of enable apiserver respectively.

-client-ca-file=/var/run/kubernetes/dd_ca.crt-token-auth-file=SOMEFILE-basic-auth-file=SOMEFILE

Authorization Config of apiserver:

Kube-apiserver currently in our environment, use the default value of AlwaysAllow, and enable RBAC will be considered later if necessary.

-- authorization-mode=AlwaysAllow

Admission Control Config of apiserver:

Kube-apiserver uses the officially recommended configuration after v1.6 + as follows:

-- admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds

This is the end of the article on "how to configure Kubernetes cluster security". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.