Security Primitive#

• Authentication:
• Certs
• Username/Password or Token
• Service Account
• LDAP
• Authorization:
  • RBAC: Role Based Access Control
  • ABAC: Attribute Based Access Control
  • Node Authorization
  • Webhook: Webhook Authorization

Authentication#

Kube API Server (token/password based authentication)#

Methods:

• Static Password/Token file
• Certificates
• Third Party Identity Provider (LDAP, kerberos, etc)

1. binary kube-apiserver:

2. kubeadm kube-apiserver: Config kubeapi server pod

apiVersion: v1
kind: Pod
metadata:
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command: # Modify startup options
    - kube-apiserver
    - --authorization-mode=Node,RBAC
      <content-hidden>
    - --basic-auth-file=/tmp/users/user-details.csv
    image: k8s.gcr.io/kube-apiserver-amd64:v1.11.3
    name: kube-apiserver
    volumeMounts:  # Pass in user details
    - mountPath: /tmp/users
      name: usr-details
      readOnly: true
  volumes: # Pass in user details
  - hostPath:
      path: /tmp/users
      type: DirectoryOrCreate
    name: usr-details

Config user Role and RoleBinding

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
# This role binding allows "jane" to read pods in the "default" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: user1 # Name is case-sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role #this must be Role or ClusterRole
  name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io

Authentication (certificates based)#

Server Certificates#

1. Api Server Certificates
2. Etcd Server Certificates
3. Kublet Server Certificates

Client Certificates#

for kube api server:

1. Scheduler
2. Admin
3. Controller Manager
4. Kube Proxy for etcd server:
5. Kube Api Server

Create Certificates self-signed certificates CA:

1. Generate CA key

openssl genrsa -out ca.key 2048

2. Create Certificate signing request

openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr

3. Sign the certificate

openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

Certificate Details At /etc/kubernetes/manifests/kube-apiserver.yaml

CSR#

Which part of k8s components signs the certificate?

• Controller Manager
  • Controllers:
    1. CSR Approving
    2. CSR Signing

Send CSR to kube api server, waiting for approval CSR manifests

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: mycsr # CSR 名称, 必须唯一
spec:
  request: <base64-encoded-csr> # base64 编码的 mycsr.csr
  signerName: kubernetes.io/kube-apiserver-client # 用于签署证书的签名者
  usages: # 证书用途
  - client auth # 客户端认证
  - server auth # 服务端认证
  - digital signature # 数字签名，可以用于签名数据（例如签名请求、代码等）
  - key encipherment # 密钥加密，可以用来加密密钥数据（例如 HTTPS 通信中用来加密会话密钥）
  groups: # 该请求的用户组信息
  - system:authenticated
  expirationSeconds: 3600 # 证书过期时间(以秒计），不指定时默认一年

kubectl apply -f mycsr.yaml
controlplane ~ ➜ kubectl get csr mycsr 
NAME          AGE     SIGNERNAME                                    REQUESTOR                  REQUESTEDDURATION   CONDITION
mycsr         6m11s   kubernetes.io/kube-apiserver-client           kubernetes-admin           <none>              Approved,Issued

批准或拒绝CSR

controlplane ~ ✖ kubectl certificate approve mycsr 
certificatesigningrequest.certificates.k8s.io/mycsr approved
controlplane ~ ✖ kubectl certificate deny mycsr 
certificatesigningrequest.certificates.k8s.io/mycsr denied