Kubernetes System Security

Others 2020-02-13 09:18:51 views: null

            Kubernetes System Security

                                     Author: Yin Zhengjie

Copyright: original works, declined to reprint! Otherwise held liable. 

 

 

A. Kubernetes System Security Overview

1> Access Control Kubernetes API Server's (Controlling Access) Overview

  The user can use kubectl, client library or by issuing a REST API access request. 

  User manual and Kubernetes service account can be authorized to access the API. 

  When a request arrives API, API Server will be certified (the Authentication), authorization policy (authorization policy), admission control (admission control) three plug-access control respectively, as shown below. 
    Authentication (Authentication): 
      verifying whether the client API Server is recognized by visitors. That requires login account password. 
    
    Authorization policy (authorization policy): 
      through certification, need to implement rights-based management logic allocation of resources, it means different users have login rights are different. 

    Admission control (admission control): 
      Are Resource Function First, check the client-defined normative, if it is executed in accordance with normative rules defined by the client, if not normative, such as missing field is set, it will auto-complete field Defaults. 
      Second, the validity of the user function, that checks the user's behavior is legal, the default value of completion, such as experienced authentication and authorization policies may already have permission to create client Pod, the admission control can limit the client can create Pod requested resource constraints, such as CPU, memory, disk usage space.

2> .Kubernetes authentication (the Authentication)

  在典型的Kubernetes集群中,端口443上的API服务器。API服务器提供一个证书。一旦建立了TLS,HTTP请求就移动到身份验证步骤。

  群集创建脚本或群集管理将API服务器配置为运行一个或多个身份验证器模型。

  身份验证步骤的输入是整个HTTP请求,但是,它通常只检查头和/或客户端证书。
    身份验证模块包括客户端证书(Client Certificates)、密码(Password)和普通令牌(Plain Tokens)、引导令牌(Bootstrap Tokens)和JWT令牌(用于服务帐户)。
    可以指定多个身份验证模块,在这种情况下,依次尝试每个模块,直到其中一个成功为止。
    如果请求无法通过身份验证,则会使用HTTP状态代码401拒绝该请求。
    否则,用户将作为特定用户名进行身份验证,该用户名可供后续步骤在其决策中使用。
    一些身份验证器还提供用户的组成员身份,而其他身份验证器则不提供。

3>.Kubernetes 授权策略(authorization policy)

  紧随认证环节之后的是"授权"检查环境;一个常规请求必须在其请求报文中包含用户名,请求的动作以及目标对象;若存在某授权策略对于此请求给予了许可授权,即授权成功。

  Kubernetes授权要求使用通用REST属性与现有的组织范围或云提供商范围的访问控制系统进行交互。

  Kubernetes支持多种授权模块,如ABAC模式、RBAC模式和Webhook模式,当管理员创建集群时,他们配置了应该在API服务器中使用的授权模块。
    如果配置了多个授权模块,Kubernetes将检查每个模块,如果有任何模块授权请求,则可以继续请求,如果所有模块拒绝请求,则拒绝请求(HTTP状态代码403)。

4>.Kubernetes 准入控制(admission control)

 

 

二.

 

 

三.

 

 

Guess you like

Origin www.cnblogs.com/yinzhengjie/p/12302138.html
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com