security.adoc

Security

Checking what certs are used by apiserver/etcd

1. cat /etc/kubernetes/manifests/<staticpod>.yaml

2. for kubelet check service status, and check where the config file is stored

3. kubelet certificates should be in /var/lib/kubelet/pki

4. kubernetes cerst shoudl be in /etc/kubernetes/pki/

generate key

openssl genrsa -out <user>.key 2048

Check certificate

openssl x509 -in /etc/kubernetes/pki/etcd/server.crt -text

generate csr

openssl req -new -key john.key -out john.csr -subj="/CN=john/O=system:masters" -CN=user O=node<optional>
sign csr: openssl x509 -req -in /etc/kubernetes/pki/apiserver-etcd-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver-etcd-client.crt

https://www.sslshopper.com/article-most-common-openssl-commands.html

Pro Tip

1. if you cant seee logs using kubectl logs, use docker logs

2. if there are no docker logs check journalctl -u <processname> | grep etcd for etcderrors

Pro Tip

1. to check namespace and cluster level resources

2. kubectl api-resources namespaced=true/false

Impt

Cluster roles are global and not part of a particular namespaces (but can be)

View config

kubectl config view --users/clusters kubectl config view --kubeconfig <filename>

view commands a user acn exexute

kubectl --as <username>

docker registry secret

kubectl create secret docker-registry private-reg-cred --docker-username=dock_user --docker-password=dock_password --docker-server=myprivateregistry.com:5000 --docker-email=<email>

check if a command can be executed (based on security-context)

kubectl exec -it ubuntu-sleeper — date -s '19 APR 2012 11:14:00'