Security Flashcards
v What is the command to create a service account?
k create serviceaccount <username></username>
What component provides authorization for users?
kube-apiserver
What are the 4 options for authorization?
- Static Password File
- Static Token File
- Certificates
- 3rd party Identity Services (such as LDAP)
Where do you add the flag/option for specifying a static password file and what is the flag/option? (THIS IS NOT RECOMMENDED IN A PROD ENV)
You specify the static password file in the kube-apiserver.service or in the manifest in the spec section with with the –basic-auth-file=<filename></filename>
Where do you add the flag/option for specifying a static password file and what is the flag/option? (THIS IS NOT RECOMMENDED IN A PROD ENV)
You specify the static password file in the or in the manifest in the spec section with with the –basic-auth-file=<filename></filename>
What command will show you all the certificates used by the kube-apiserver?
cat /etc/kubernetes/manifests/kube-apiserver.yaml
What command checks the content of a certificate?
openssl x509 -in /etc/kubrenetes/pki/apiserver.crt -text -noout
What command generates kets for the CA?
openssl genrsa -out ca.key 2048
What is the command to create a CSR for the CA?
openssl req -new -key ca.key -subj :/CN=KUBERNETES-CA” -out ca.csr
What command signs certificates for the CA?
openssl x509 -req -in ca.csr signkey ca.key -out ca.crt
What command creates a CSR for an admin user?
openssl req -new -key admin.key -subj :/CN=kube-admin/O=system:masters” -out admin.csr
What command signs a CSR for an admin user?
openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -out admin.crt
What are the names that are specified on the kube-apiserver certificate?
kubernetes
kubernetes.default
kubernetes.default.svc
kubernetes.default.svc.cluster.local
10.96.0.1
172.17.0.87
What are the steps to adding new users via the certificates API?
- Create CertificateSigningRequest Object
- Review Requests
- Approve Requests
- Share Certs to Users
What is the openssl command to generate a key for a new user?
openssl genrsa -out <user>.key 2048</user>
What is the openssl command to generate a cert for a new user?
openssl req -new -key <user>.key -subj "/CN=<user>" -out <user>.csr</user></user></user>
What is the command for an admin to see all CSR requests?
k get csr
What are the attributes of a CSR definition file?
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: akshay
spec:
groups:
- system:authenticated
request: <Paste>
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth</Paste>
What is the command to approve a csr request?
kubectl certificate approve <user></user>
What is the command to get a user certificate?
k get csr <user> -o yaml under status.certificate and to decript: echo "xxx" | base64 --decode</user>
What is the command to view the kubeconfig file?
k config view
or
k config view –kubeconfig=<filename></filename>
What is the command to change context?
k config use-context <context_name></context_name>
What is the name of the api group that is responsible for namespaces, pods, rc, events, endpoints, nodes, bindings, PV, PVC, configmaps, secrets, services?
core
What are some examples of named APIs?
apps/
extensions/
networking.k8s.io/
storage.k8s.io/
authentication.k8s.io/
certificates.k8s.io/
What are some examples of verbs under the named group for apps/v1/deployments?
get
list
create
delete
update
watch
What is a command to list the named APIs?
curl http://localhost:6443 -k
You must use the:
k proxy
What are the read permissions for node authorizer?
read: services, endpoints, nodes, pods
What are the write permissions for node authorizer?
write: node status, pod status, events
What are the different authorization-mode options?
–authorization-mode=Node,RBAC,Webhook
What happens when an option specified in –authorization-mode denies a request?
If the first one deny the request, it will move to the next one
What are the 3 parameters that are needed for setting rules in a Role definition file?
apiGroups, resources, verbs
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [””] # “” indicates the core API group
resources: [“pods”]
verbs: [“get”, “watch”, “list”]
- apiGroups: [””]
resources: [“ConfigMap”]
verbs: [“create”]
How do you link a user to a role?
Create a role binding definition file.
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows “jane” to read pods in the “default” namespace.
# You need to already have a Role named “pod-reader” in that namespace.
kind: RoleBinding
metadata:
name: read-pods-binding
namespace: default
subjects:
# You can specify more than one “subject”
- kind: User
name: jane # “name” is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# “roleRef” specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
What is the command to list the roles?
kubectl get roles
What is the command to list role bindings?
kubectl get rolebindings
What is the command to see details about a role binding?
kubectl describe role read-pods-binding
What is the command to see if you have access to an action?
kubectl auth can-i delete pods
What is the command to see if a user has access to an action?
kubectl auth can-i create deployments –as dev-user –namespace test
What are the namespaced scoped resources?
pods
replicasets
jobs
deployments
services
secrets
roles
rolebindings
configmaps
pvc
What are the cluster scoped resources?
nodes
pv
clusterroles
clusterrolebindings
certificatesigningrequests
namespaces
Can a cluster role be used for namespaced resources?
ClusterRole can be used for namespaced resources but will then be generic to all namespaces.
What is the command to create a service account?
kubectl create serviceaccount <name></name>
What command lists service accounts?
k get serviceaccount
What command explains service accounts?
k describe serviceaccount <service_account_name></service_account_name>
What command shows details about the service account’s token?
k describe secret <service_account_token_name></service_account_token_name>
What is the command to create a private container repository?
kubectl create secret docker-registry regcred \
–docker-server=private-registry.io \
–docker-username=registry-user \
–docker-password=registry-password \
–docker-email=registry-user@org.com
Capabilities are only available at what level?
Container level
Container level security context overrides what level of security context?
The pod level
What spec configuration sets security capabilities?
securityContext:
Example 1 –>
apiVersion: v1
kind: Pod
metadata:
name: web-pod
spec:
containers:
- image: ubuntu
name: ubuntu
command: [“sleep”, “3600”]
securityContext:
runAsUser: 1000
Example 2 –>
apiVersion: v1
kind: Pod
metadata:
name: web-pod
spec:
containers:
- image: ubuntu
name: ubuntu
command: [“sleep”, “3600”]
securityContext:
runAsUser: 1000
capabilities:
add: [“MAC_ADMIN”]
What is the default network communication policy for pods?
By default every pod can communicate to every pod or services within the cluster.
How do you assign a network policy to a pod?
Create a network policy definition, and assign using labels and selectors.
