• k8s
• StudyNotes
• k8s-certs-security

k8s/StudyNotes/ k8s-certs-security

• kubect uses $HOME/.kube/config for cert auth

  • config info Clusters:  ->  Contexts: (Namespace) <-  Users: 

    • kubectl config view
    • kubectl config use-context prod-user@production
• kube-apiserver at the center
  • Who can access ? Authentication methods

    • Static PWD, CSV password123,user1,u0001,group1  kube-apiserver --basic-auth-file=user-details.csv 

      • Auth with  curl -v -k https://master-node-ip:6443/api/v1/pods -u "user1:password123" 

    • Static Token,  kube-apiserver --token-auth-file=user-details.csv 

      • Auth with  curl -v -k https://master-node-ip:6443/api/v1/pods --header "Authorization: Bearer KpjCViY" 

    • Cert
    • SSO
  • What can they do ? RBAC Auth , ABAC, Node, Webhook
  • All components to kube-apiserver TLS authenticated.

• k8s relies on external user administration, but it does ServiceAccounts for integration/bots

• View certificates  openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text 

• k8s has Certificates API

  • User gen cert $ openssl genrsa -out jane.key 2048  then csr $ openssl req -new -key jane.key -subj "/CN=jane" -out jane.csr 

  • Admin receives csr and creates k8s obj

  • kubectl get csr jane.csr.yaml

           apiVersion: certificate.k82.io/v1beta1
           kind: CertificteSigningRequest
           metadata:
             name: jane
           spec:
             groups:
             - system:authenticated
             usages:
             - digital signature
             - key encipherment
             - server auth
             request:
                LS0dkjfjs<the base64 encode csr>pbnj
                NnhjosblablablablabnJ

  • Add cert object to k8s $ kubectl apply -f jane.csr.yaml 

    • view with  kubectl get csr 

  • kubectl certificate approve jane

    •  kubectl certificates approve jane 

    •  kubectl get csr jane -o yaml  then base64 -d the cert.