Skip to content

Commit

Permalink
Added
Browse files Browse the repository at this point in the history 
1. Kubelet Security
2. Correct links after restructuring the individual topics into a separate folder
  • Loading branch information
Jayendra Patil committed Dec 17, 2021
1 parent 29b343f commit 21cf0e6
Show file tree
Hide file tree
Showing 12 changed files with 83 additions and 21 deletions.
6 changes: 5 additions & 1 deletion cka/1.cluster_architecture_installation_configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

<br />

Refer [RBAC](../rbac.md)
Refer [RBAC](../topics/rbac.md)

<br />

Expand All @@ -30,6 +30,10 @@ Refer [Creating HA Kubernete cluster](https://kubernetes.io/docs/setup/productio

<br />

TBD

<br />

## Perform a version upgrade on a Kubernetes cluster using Kubeadm

<br />
Expand Down
10 changes: 5 additions & 5 deletions cka/2.workloads_scheduling.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,24 +6,24 @@

<br />

Refer [Deployment Rollouts](../deployments.md#deployment-rollout)
Refer [Deployment Rollouts](../topics/deployments.md#deployment-rollout)

<br />

## Use ConfigMaps and Secrets to configure applications

<br />

Refer [ConfigMaps](../configmaps.md)
Refer [Secrets](../secrets.md)
Refer [ConfigMaps](../topics/configmaps.md)
Refer [Secrets](../topics/secrets.md)

<br />

## Know how to scale applications

<br />

Refer [Deployment Rollouts](../deployments.md#deployment-scaling)
Refer [Deployment Rollouts](../topics/deployments.md#deployment-scaling)

<br />

Expand All @@ -39,7 +39,7 @@ TBD

<br />

Refer [Resources - Requests & Limits](../topics/pods/md#resources)
Refer [Resources - Requests & Limits](../topics/pods.md#resources)

<br />

Expand Down
4 changes: 2 additions & 2 deletions cka/3.services_networking.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,11 @@ TBD

## Understand ClusterIP, NodePort, LoadBalancer service types and endpoints

Refer [Services](../services.md)
Refer [Services](../topics/services.md)

## Know how to use Ingress controllers and Ingress resources

Refer [Ingress](../ingress.md)
Refer [Ingress](../topics/ingress.md)

## Know how to configure and use CoreDNS

Expand Down
2 changes: 1 addition & 1 deletion cka/4.storage.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,6 @@ TBD

<br />

Refer [Volumes](../topics/volumes.md
Refer [Volumes](../topics/volumes.md)

<br />
6 changes: 3 additions & 3 deletions ckad/1.application_design_build.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,22 +14,22 @@ TBD - Create docker images

<br />

Refer [Jobs & Cron Jobs](../jobs.md)
Refer [Jobs & Cron Jobs](../topics/jobs.md)

<br />

## Understand multi-container Pod design patterns (e.g. sidecar, init and others)

<br />

Refer [Multi-Container Pods](../pods#multi-container-pods)
Refer [Multi-Container Pods](../topics/pods.md#multi-container-pods)

<br />

## Utilize persistent and ephemeral volumes

<br />

Refer [Volumes](../volumes.md)
Refer [Volumes](../topics/volumes.md)

<br />
2 changes: 1 addition & 1 deletion ckad/2.application_deployment.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ TBD

## Understand Deployments and how to perform rolling updates

Refer [Deployment Rollouts](../deployments.md#deployment-rollout)
Refer [Deployment Rollouts](../topics/deployments.md#deployment-rollout)

## Use the Helm package manager to deploy existing packages

Expand Down
6 changes: 3 additions & 3 deletions ckad/3.application_observability_maintenance.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,15 @@ TBD

## Implement probes and health checks

Refer [Readiness & Liveness probes](../probes.md)
Refer [Readiness & Liveness probes](../topics/probes.md)

## Use provided tools to monitor Kubernetes applications

Refer [Monioring](../monitoring.md)
Refer [Monioring](../topics/monitoring.md)

## Utilize container logs

Refer [Logging](../logging.md)
Refer [Logging](../topics/logging.md)

## Debugging in Kubernetes

Expand Down
2 changes: 1 addition & 1 deletion ckad/4.application_environment_configuration_security.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Refer [Admission Controllers](../topics/admission_controllers.md)

<br />

Refer [Resources - Requests & Limits](../topics/pods/md#resources)
Refer [Resources - Requests & Limits](../topics/pods.md#resources)

<br />

Expand Down
2 changes: 1 addition & 1 deletion cks/1.cluster_setup.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ Refer [Ingress with tls cert](../topics/ingress.md#ingress-security)

<br />

TBD
Refer [Kubelet Security](../topics/kubelet_security.md)

<br />

Expand Down
2 changes: 1 addition & 1 deletion cks/4.minimize_microservice_vulnerabilities.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Refer [Open Policy Agent](https://kubernetes.io/blog/2019/08/06/opa-gatekeeper-p

<br />

Refer [Secrets](../topicssecrets)
Refer [Secrets](../topics/secrets.md)

<br />

Expand Down
5 changes: 3 additions & 2 deletions topics/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,9 @@ Topics cover test exercises for each topics
- [Falco](./falco.md)
- [Ingress](./ingress.md)
- [Jobs](./jobs.md)
- [kube-bench](../kube-bench.md)
- [Kubeconfig](./kubeconfig.md)
- [kube-bench](./kube-bench.md)
- [Kubeconfig](./kubeconfig.md) .
- [Kubelet Security](./kubelet_security.md)
- [Kubesec](./kubesec.md)
- [Logging](./logging.md)
- [Monitoring](./monitoring.md)
Expand Down
57 changes: 57 additions & 0 deletions topics/kubelet_security.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# [Kubelet Security](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/)

<br />

### Check the Kubelet Security

<br />

#### Check Kubelet configuration

```bash
ps -ef | grep kubelet # check the --config parameter
# root 2600 1 3 05:21 ? 00:00:02 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --cgroup-driver=systemd --network-plugin=cni --pod-infra-container-image=k8s.gcr.io/pause:3.2 --resolv-conf=/run/systemd/resolve/resolv.conf
```

#### Viewing the kubelet configuration file `/var/lib/kubelet/config.yaml`

```yaml
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false # anonymous auth should be disabled - It should not be true
webhook: # Authn mechanism set to webhook as certificate based auth instead of AlwaysAllow
cacheTTL: 0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: Webhook # Authz mechanism set to webhook, instead of AlwaysAllow
webhook:
cacheAuthorizedTTL: 0s
cacheUnauthorizedTTL: 0s
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
# additional lines omitted for brevity
```

#### Check the key and certificate in the `kube-apiserver.yaml` file

```bash
cat kube-apiserver.yaml | grep kubelet-client
# - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
# - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
```

#### Verify the authentication using the above cert and key

```bash
curl -sk https://localhost:10250/pods/
# Unauthorized

curl -sk https://localhost:10250/pods/ --key /etc/kubernetes/pki/apiserver-kubelet-client.key --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt
# {"kind":"PodList","apiVersion":"v1","metadata":{},"items":[{"metadata":{"name":"etcd-controlplane","namespace": ...
```

0 comments on commit 21cf0e6

Please sign in to comment.