가시다님 스터디 쿠버네티스편 [7주차]

강재민·2023년 2월 27일
0

Kubernetes

목록 보기
28/29
post-custom-banner

[과제 1]

파드에서 EC2 메타데이터의 IAM Role 토큰 정보를 활용하여(boto3), 스터디에서 소개한 것 이외의 다른 AWS 서비스(혹은 Action)를 사용 후 코드나 스샷을 올려주세요
사전준비

cat <<EOF | kubectl create -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: boto3-pod
spec:
  replicas: 2
  selector:
    matchLabels:
      app: boto3
  template:
    metadata:
      labels:
        app: boto3
    spec:
      containers:
      - name: boto3
        image: jpbarto/boto3
        command: ["tail"]
        args: ["-f", "/dev/null"]
      terminationGracePeriodSeconds: 0
EOF
PODNAME1=$(kubectl get pod -l app=boto3 -o jsonpath={.items[0].metadata.name})
PODNAME2=$(kubectl get pod -l app=boto3 -o jsonpath={.items[1].metadata.name})
kubectl exec -it $PODNAME1 -- sh
cat <<EOF> s3.py
import boto3
s3 = boto3.client('s3')
response = s3.list_buckets()
print(response)
EOF
python s3.py

~/dev # python s3.py
{u'Owner': {u'DisplayName': 'repush', u'ID': '2500c91536f25f0897e7e1ea8859a5274ab813f9c045915b42179cf4f63eb267'}, u'Buckets': [{u'CreationDate': datetime.datetime(2023, 2, 23, 7, 46, 14, tzinfo=tzlocal()), u'Name': 'gitlab-runner-manager-repush'}, {u'CreationDate': datetime.datetime(2023, 2, 21, 13, 41, 31, tzinfo=tzlocal()), u'Name': 'grafana-alert-images-repush'}, {u'CreationDate': datetime.datetime(2023, 1, 19, 13, 58, 36, tzinfo=tzlocal()), u'Name': 'repush-gasida'}], 'ResponseMetadata': {'HTTPStatusCode': 200, 'RetryAttempts': 0, 'HostId': 'kOIXvO3KGJoi5JaQCEvPqlNou5q3qkZiO/imlczedW4s5/nz/gCV1XiiMsNvhRdo7CRpR9Y9F9o=', 'RequestId': '3AD880JB6CP8GKMP', 'HTTPHeaders': {'x-amz-id-2': 'kOIXvO3KGJoi5JaQCEvPqlNou5q3qkZiO/imlczedW4s5/nz/gCV1XiiMsNvhRdo7CRpR9Y9F9o=', 'server': 'AmazonS3', 'transfer-encoding': 'chunked', 'x-amz-request-id': '3AD880JB6CP8GKMP', 'date': 'Mon, 27 Feb 2023 14:17:01 GMT', 'content-type': 'application/xml'}}}
~/dev #


[과제 2]

책 398~400페이지 - kubescape armo 웹 사용 후 관련 스샷을 올려주세요

(repush:N/A) [root@kops-ec2 ~]# curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
Installing Kubescape...

######################################################################## 100.0%

Finished Installation.

Your current version is: v2.2.2 [git enabled in build: true]

Usage: $ kubescape scan --enable-host-scan

(repush:N/A) [root@kops-ec2 ~]# kubescape scan . --submit --account 23cf3d63-75ca-4426-a109-7f6771270514
[info] Kubescape scanner starting
[info] Downloading/Loading policy definitions
[success] Downloaded/Loaded policy
[info] Accessing local objects
[success] Done accessing local objects
[info] Scanning Directory
Control C-0128 100% |█████████████████████████████████████████████████████████████████████████████████████████████| (211/211, 17 it/s)
[success] Done scanning Directory

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Controls: 211 (Failed: 41, Passed: 164, Action Required: 6)
Failed Resources by Severity: Critical — 0, High — 45, Medium — 173, Low — 66

+----------+-------------------------------------------------------+------------------+---------------+-------------------+
| SEVERITY |                     CONTROL NAME                      | FAILED RESOURCES | ALL RESOURCES |   % RISK-SCORE    |
+----------+-------------------------------------------------------+------------------+---------------+-------------------+
| High     | Forbidden Container Registries                        |        0         |      13       | Action Required * |
| High     | Resources memory limit and request                    |        0         |      13       | Action Required * |
| High     | Resource limits                                       |        13        |      13       |       100%        |
| High     | Applications credentials in configuration files       |        0         |      14       | Action Required * |
| High     | Resources CPU limit and request                       |        0         |      13       | Action Required * |
| High     | CIS-5.2.2 Minimize the admission of privileged con... |        3         |       3       |       100%        |
| High     | CIS-5.2.11 Minimize the admission of Windows HostP... |        3         |       3       |       100%        |
| High     | CIS-5.7.3 Apply Security Context to Your Pods and ... |        13        |      13       |       100%        |
| High     | Verify image signature                                |        0         |      13       | Action Required * |
| High     | Check if signature exists                             |        13        |      13       |       100%        |
| Medium   | Data Destruction                                      |        1         |       1       |       100%        |
| Medium   | Non-root containers                                   |        13        |      13       |       100%        |
| Medium   | Allow privilege escalation                            |        13        |      13       |       100%        |
| Medium   | Ingress and Egress blocked                            |        13        |      13       |       100%        |
| Medium   | Automatic mapping of service account                  |        2         |      14       |        11%        |
| Medium   | Access container service account                      |        1         |       1       |       100%        |
| Medium   | Cluster internal networking                           |        3         |       3       |       100%        |
| Medium   | Linux hardening                                       |        13        |      13       |       100%        |
| Medium   | Configured liveness probe                             |        13        |      13       |       100%        |
| Medium   | CIS-5.1.4 Minimize Container Registries to only th... |        0         |      13       | Action Required * |
| Medium   | CVE-2022-0492-cgroups-container-escape                |        13        |      13       |       100%        |
| Medium   | CIS-5.1.4 Minimize access to create pods              |        1         |       1       |       100%        |
| Medium   | CIS-5.1.5 Ensure that default service accounts are... |        2         |       3       |        67%        |
| Medium   | CIS-5.1.6 Ensure that Service Account Tokens are o... |        2         |      14       |        11%        |
| Medium   | CIS-5.2.1 Ensure that the cluster has at least one... |        3         |       3       |       100%        |
| Medium   | CIS-5.2.3 Minimize the admission of containers wis... |        3         |       3       |       100%        |
| Medium   | CIS-5.2.4 Minimize the admission of containers wis... |        3         |       3       |       100%        |
| Medium   | CIS-5.2.5 Minimize the admission of containers wis... |        3         |       3       |       100%        |
| Medium   | CIS-5.2.6 Minimize the admission of containers wit... |        3         |       3       |       100%        |
| Medium   | CIS-5.2.7 Minimize the admission of root container... |        3         |       3       |       100%        |
| Medium   | CIS-5.2.8 Minimize the admission of containers wit... |        3         |       3       |       100%        |
| Medium   | CIS-5.2.9 Minimize the admission of containers wit... |        3         |       3       |       100%        |
| Medium   | CIS-5.2.10 Minimize the admission of containers wi... |        3         |       3       |       100%        |
| Medium   | CIS-5.2.12 Minimize the admission of HostPath volu... |        3         |       3       |       100%        |
| Medium   | CIS-5.2.13 Minimize the admission of containers wh... |        3         |       3       |       100%        |
| Medium   | CIS-5.3.2 Ensure that all Namespaces have Network ... |        3         |       3       |       100%        |
| Medium   | CIS-5.7.1 Create administrative boundaries between... |        3         |       3       |       100%        |
| Medium   | CIS-5.7.2 Ensure that the seccomp profile is set t... |        13        |      13       |       100%        |
| Medium   | CIS-5.7.4 The default namespace should not be used    |        18        |      25       |        68%        |
| Medium   | CIS-4.4.2 Consider external secret storage            |        13        |      13       |       100%        |
| Low      | Immutable container filesystem                        |        13        |      13       |       100%        |
| Low      | Configured readiness probe                            |        13        |      13       |       100%        |
| Low      | Network mapping                                       |        3         |       3       |       100%        |
| Low      | Pods in default namespace                             |        10        |      13       |        70%        |
| Low      | Naked PODs                                            |        6         |       6       |       100%        |
| Low      | Label usage for resources                             |        8         |      13       |        65%        |
| Low      | K8s common labels usage                               |        13        |      13       |       100%        |
+----------+-------------------------------------------------------+------------------+---------------+-------------------+
|          |                   RESOURCE SUMMARY                    |        26        |      31       |      41.52%       |
+----------+-------------------------------------------------------+------------------+---------------+-------------------+
FRAMEWORKS: AllControls (risk: 31.68), NSA (risk: 41.13), MITRE (risk: 3.19), AllControls (risk: 31.68), ArmoBest (risk: 39.05), NSA (risk: 41.13), cis-eks-t1.2.0 (risk: 41.36), cis-v1.23-t1.0.1 (risk: 67.37), DevOpsBest (risk: 31.91), MITRE (risk: 3.19)

* Control configurations are empty

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan results have not been submitted:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run with '--verbose'/'-v' flag for detailed resources view

(repush:N/A) [root@kops-ec2 ~]#



[과제 3]

polaris 관련 실습(아무거나) 후 관련 스샷을 올려주세요

(repush:N/A) [root@kops-ec2 ~]# kubectl scale deployment netshoot-pod --replicas 2
deployment.apps/netshoot-pod scaled

cat <<EOF | kubectl create -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: netshoot-pod
spec:
  replicas: 2
  selector:
    matchLabels:
      app: netshoot-pod
  template:
    metadata:
      labels:
        app: netshoot-pod
    spec:
      containers:
      - name: netshoot-pod
        image: nicolaka/netshoot:v0.9
        command: ["tail"]
        args: ["-f", "/dev/null"]
        imagePullPolicy: Always
        resources:
          limits:
            cpu: 150m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 128Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
      terminationGracePeriodSeconds: 0
EOF


[과제 4]

신규 서비스 어카운트(SA) 생성 후 '클러스터 수준(모든 네임스페이스 포함)에서 읽기 전용'의 권한을 주고 테스트 후 코드나 스샷을 올려주세요

kubectl create sa read-only-k8s -n default
serviceaccount/read-only-k8s created
kubectl get sa -n default
NAME            SECRETS   AGE
default         0         3h25m
read-only-k8s   0         1s
kubectl get sa read-only-k8s -n default -o yaml | yh
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2023-02-27T15:24:30Z"
  name: read-only-k8s
  namespace: default
  resourceVersion: "49771"
  uid: 3cce6c5c-6ac1-4da6-81d8-d8405d923cc3
cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Pod
metadata:
  name: read-only-kubectl
  namespace: default
spec:
  serviceAccountName: read-only-k8s
  containers:
  - name: kubectl-pod
    image: bitnami/kubectl:1.24.10
    command: ["tail"]
    args: ["-f", "/dev/null"]
  terminationGracePeriodSeconds: 0
EOF
(repush:N/A) [root@kops-ec2 ~]# kubectl get pod
NAMESPACE     NAME                                            READY   STATUS    RESTARTS        AGE
default       read-only-kubectl                               1/1     Running   0               2m19s
(repush:N/A) [root@kops-ec2 ~]# kubectl get pod -o read-only-kubectl -n default -o yaml
apiVersion: v1
items:
- apiVersion: v1
  kind: Pod
  metadata:
    annotations:
      kubernetes.io/limit-ranger: 'LimitRanger plugin set: cpu request for container
        kubectl-pod'
    creationTimestamp: "2023-02-27T15:25:28Z"
    name: read-only-kubectl
    namespace: default
    resourceVersion: "50026"
    uid: f690f7ef-feff-4a8c-a61b-e9f4b9ef9e13
  spec:
    containers:
    - args:
      - -f
      - /dev/null
      command:
      - tail
      image: bitnami/kubectl:1.24.10
      imagePullPolicy: IfNotPresent
      name: kubectl-pod
      resources:
        requests:
          cpu: 100m
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      volumeMounts:
      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
        name: kube-api-access-nvsv9
        readOnly: true
    dnsPolicy: ClusterFirst
    enableServiceLinks: true
    nodeName: i-0f63e14d2d5d5f119
    preemptionPolicy: PreemptLowerPriority
    priority: 0
    restartPolicy: Always
    schedulerName: default-scheduler
    securityContext: {}
    serviceAccount: read-only-k8s
    serviceAccountName: read-only-k8s
    terminationGracePeriodSeconds: 0
    tolerations:
    - effect: NoExecute
      key: node.kubernetes.io/not-ready
      operator: Exists
      tolerationSeconds: 300
    - effect: NoExecute
      key: node.kubernetes.io/unreachable
      operator: Exists
      tolerationSeconds: 300
    volumes:
    - name: kube-api-access-nvsv9
      projected:
        defaultMode: 420
        sources:
        - serviceAccountToken:
            expirationSeconds: 3607
            path: token
        - configMap:
            items:
            - key: ca.crt
              path: ca.crt
            name: kube-root-ca.crt
        - downwardAPI:
            items:
            - fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
              path: namespace
  status:
    conditions:
    - lastProbeTime: null
      lastTransitionTime: "2023-02-27T15:25:28Z"
      status: "True"
      type: Initialized
    - lastProbeTime: null
      lastTransitionTime: "2023-02-27T15:25:35Z"
      status: "True"
      type: Ready
    - lastProbeTime: null
      lastTransitionTime: "2023-02-27T15:25:35Z"
      status: "True"
      type: ContainersReady
    - lastProbeTime: null
      lastTransitionTime: "2023-02-27T15:25:28Z"
      status: "True"
      type: PodScheduled
    containerStatuses:
    - containerID: containerd://47b93b32b78fdff22d9c1ea990458bf22339cce1df24e232967dfe4ee8dd5bd1
      image: docker.io/bitnami/kubectl:1.24.10
      imageID: docker.io/bitnami/kubectl@sha256:a6d7ef461d5160e47f8761a2c2afcc1ce720039dd14fc5d2ac55bfd73a065236
      lastState: {}
      name: kubectl-pod
      ready: true
      restartCount: 0
      started: true
      state:
        running:
          startedAt: "2023-02-27T15:25:35Z"
    hostIP: 172.30.57.163
    phase: Running
    podIP: 172.30.61.77
    podIPs:
    - ip: 172.30.61.77
    qosClass: Burstable
    startTime: "2023-02-27T15:25:28Z"
kind: List
metadata:
  resourceVersion: ""
kubectl exec -it read-only-kubectl -n default -- ls /run/secrets/kubernetes.io/serviceaccount
kubectl exec -it read-only-kubectl -n default -- cat /run/secrets/kubernetes.io/serviceaccount/token
kubectl exec -it read-only-kubectl -n default -- cat /run/secrets/kubernetes.io/serviceaccount/namespace
kubectl exec -it read-only-kubectl -n default -- cat /run/secrets/kubernetes.io/serviceaccount/ca.crt
alias k3='kubectl exec -it read-only-kubectl -n default -- kubectl'
k3 get pods
k3 run nginx --image nginx:1.20-alpine
k3 get pods -n kube-system
k3 auth can-i get pods
### 불가능
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: role-read-only
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs:
    - get
    - list
    - watch
EOF
kubectl get roles -n default
kubectl get roles -n default -o yaml
kubectl describe clusterroles role-read-only -n default
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: roleB-read-only
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: role-read-only
subjects:
- kind: ServiceAccount
  name: read-only-k8s
  namespace: default
EOF
I have no name!@read-only-kubectl:/$ kubectl get pods -A
NAMESPACE     NAME                                            READY   STATUS    RESTARTS        AGE
default       read-only-kubectl                               1/1     Running   0               74m
kube-system   aws-cloud-controller-manager-6g5gd              1/1     Running   0               4h40m
kube-system   aws-load-balancer-controller-595c8bbbbf-8d99m   1/1     Running   0               4h40m
kube-system   aws-node-jzzlt                                  1/1     Running   0               4h39m
kube-system   aws-node-r7428                                  1/1     Running   0               4h40m
kube-system   aws-node-xtjf6                                  1/1     Running   0               4h28m
kube-system   cert-manager-6b55fb8f96-m7nvv                   1/1     Running   0               4h40m
kube-system   cert-manager-cainjector-5cf5bd97fc-gffjv        1/1     Running   0               4h40m
kube-system   cert-manager-webhook-66ccfc975d-2mt64           1/1     Running   0               4h40m
kube-system   coredns-6897c49dc4-4tp5t                        1/1     Running   0               4h38m
kube-system   coredns-6897c49dc4-w9cbr                        1/1     Running   0               4h27m
kube-system   coredns-autoscaler-5685d4f67b-tq5jn             1/1     Running   0               4h27m
kube-system   ebs-csi-controller-8656988bdb-f9sjx             5/5     Running   0               4h40m
kube-system   ebs-csi-node-dnpb7                              3/3     Running   0               4h40m
kube-system   ebs-csi-node-w2xq8                              3/3     Running   0               4h39m
kube-system   ebs-csi-node-w547f                              3/3     Running   0               4h28m
kube-system   etcd-manager-events-i-08cf02ccf77956bd2         1/1     Running   0               4h39m
kube-system   etcd-manager-main-i-08cf02ccf77956bd2           1/1     Running   0               4h39m
kube-system   external-dns-6c69cd4c65-8xjnn                   1/1     Running   0               4h40m
kube-system   kops-controller-6x5df                           1/1     Running   0               4h40m
kube-system   kube-apiserver-i-08cf02ccf77956bd2              2/2     Running   1 (4h41m ago)   4h39m
kube-system   kube-controller-manager-i-08cf02ccf77956bd2     1/1     Running   2 (4h40m ago)   4h40m
kube-system   kube-proxy-i-08cf02ccf77956bd2                  1/1     Running   0               4h39m
kube-system   kube-proxy-i-0ab0a111bba087bae                  1/1     Running   0               4h39m
kube-system   kube-proxy-i-0f63e14d2d5d5f119                  1/1     Running   0               4h28m
kube-system   kube-scheduler-i-08cf02ccf77956bd2              1/1     Running   0               4h40m
kube-system   metrics-server-6d48674cf8-8k426                 1/1     Running   0               4h27m
kube-system   metrics-server-6d48674cf8-wc6xc                 1/1     Running   0               4h40m
kubescape     gateway-58f55d6448-smdgv                        1/1     Running   0               126m
kubescape     kollector-0                                     1/1     Running   0               126m
kubescape     kubescape-6d98699958-nbvcr                      1/1     Running   0               126m
kubescape     kubevuln-5f6cfc7d7f-dr2nh                       1/1     Running   0               126m
kubescape     operator-6764b4bddc-djznq                       1/1     Running   0               126m
I have no name!@read-only-kubectl:/$
I have no name!@read-only-kubectl:/$ kubectl run nginx --image nginx:1.20-alpine
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:read-only-k8s" cannot create resource "pods" in API group "" in the namespace "default"
I have no name!@read-only-kubectl:/$

Cluster Role 이용해서 완료


post-custom-banner

0개의 댓글