Security
Authentication
We have 2 types of users:
Users: Admins & Developers
Bots: Service Accounts which are other processes, services, apps that require access to cluster
Users
Kubernetes doesn't manage user accounts natively, it relies on external sources such as:
File with user details
Certificates
3rd-party identity service like LDAP
So you cannot create users or list users in a Kubernetes cluster
Service Accounts
Kubernetes can manage service accounts using the kubeapi-server
Authentication Mechanisms
How does kube-apiserver authenticate?
Static Password File: List of username & password in a file
Static Token File: Usernames & Token in a file
Certificates: Authenticate using certificates
Identity Services: Connect to 3rd party authentication protocols such as LDAP, Kerberos etc...
Basic Authentication
Static Password File
Static Token File
We can create list of users with their passwords as a csv file:
Then pass the csv file name as an option to the kube-apiserver then restart manually
Or using the kubeadm tool in the /etc/kubernetes/manifests/kube-apiserver.yaml file which will be restarted automatically by the kubeadm tool
To authenticate user using the basic credentials while accessing the kube-apiserver, specify the user and password
We can have a 4th column to specify a group
Also, if we are using tokens instead of password, we must add it to the csv file and use the token as bearer in the request header
This is not the recommended approach for authentication as it stores plain text information
Consider volume mount while providing the auth file in a kubdeadm setup
TLS Basics
A certificate is used to guarantee trust between two parties during a transaction, for example:
If user tries to access a web server, TLS certificates ensure the traffic between user and web server is encrypted and the web server is who it says it is.
To solve this issue, we use asymmetric encryption to generate public and private keys using OpenSSL
Let's view what happens:
User requests the web server on HTTPS
The web server sends a public key to the user
The user browser encrypts the symmetric key using the public key sent by the webserver
The user then sends his message (encrypted with symmetric key) which is also encrypted with public key of the server
The server receives the message and decrypts it using its private key
The hacker only has a public key and encrypted data which he can't do anything with them.
To solve this issue, here is where the certificates play a crucial role, so when we request to the server on HTTPS and receive its public key.
We can inspect the public key and see its certificate which includes information like:
Public key of server
Location of server
Who is the certificate for
DNS Information etc...
Most important part to verify a certificate is to check who signed and issued the certificate
How do we get our certificates to be signed by an authority?
That's where Certificate Authorities (CA) comes into play, some popular authorities includes:
Symantec
Comodo
GlobalSign
digicert
The process of signing a certificate by an authority is:
Generate a certificate signing request (CSR) using key we generated earlier and name of our website
Authority validates the information you sent
Certificate is signed and sent back to you
Let's say we have sites hosted privately for our organization, what shall we do?
CAs offers private hosting of their servers, we can deploy the CA server internally and then have the public key of out internal CA server installed on all employees browsers and establish secure connectivity in the organization.
In summary:
Admin generates a key pair for securing SSH
Web server generates a key pair for securing the website with HTTPS
CA generates its own key pairs to sign certificates
End users generates a single symmetric key to encrypt his credentials and uses it after establishing trust to the webserver to send his credentials for authentication
Naming Conventions
server.crt = server public key etc...
server.key = server private key etc...
TLS in Kubernetes
Communication between Master and worker nodes must be secure, also when an admin uses the kubectl utility to communicate with kube-apiserver it must be secure. Overall all communications between Kubernetes components must be secure.
So the 2 primary requirements are:
Server certificates for servers
Client certificates for clients
Let's start with the server components which uses TLS certificates.
Server Certificates for servers
Server private and public key naming convention may differ depending on who and how the cluster was setup
KubeAPI server
Lets start with kube-apiserver which exposes an https service that other components and external users use to manage the Kubernetes cluster.
ETCD server
Kubelet server
Client Certificates for clients
Clients are admins or components who needs access to the kube-apiserver through kubectl or rest API.
Admins
Lets start with the admin which must have key-pairs to talk to the kube-apiserver and authenticate
Scheduler
The scheduler needs to communicate with the kube-apiserver to get pods who needs scheduling, which it must have key-pairs to authenticate
Kube Controller Manager
Kube Proxy
This picture below summarizes everything regarding certificates for both client and server:
Certificate Generation
To generate certificates we must have at least one CA in our cluster, in fact we can have more than one:
CA for server
CA for client
For now, we'll just stick to one CA for our cluster.
We will use OpenSSL utility to generate our certificates
Generate key:
openssl genrsa -out ca.key 2048 # ca.keyCertificate Signing Request:
openssl -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csrSign Certificates:
openssl x509 -req -in ca.csr -signkey ca.key -out ca.csr # Self-signed
To generate client certificates starting with admin
Generate key:
openssl genrsa -out admin.key 2048Certificate Signing Request:
openssl req -new -key admin.key -subj "CN=kube-admin/OU=system:masters" -out admin.csrTo distinguish admins from normal users, we must put the admin user in a group, and mention it in the Certificate Signing Request as /OU=<group-name>
For client system components such as scheduler/controller manager/kube-proxy, we must include a prefix to their certificate name (CN) like "CN=SYSTEM:kube-scheduler"
CN=kube-admin doesn't have to be kube-admin, you can name it as you like, but remember this is the name that kubectl client authenticates with and can be found in logs and elsewhere
Sign Certificates:
openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -out admin.crt # admin.crt is the certificate that will be used to authenticate to kubernetes cluster
Now, instead of authenticating with username and password/token, we can use the kube-admin certificate we generated and put it in the kubeconfig yaml to authenticate with it:
kubeconfig yaml to authenticate with it:
Or using curl (not recommended):
Peer Certificates
Lets take ETCD server as an example, ETCD can be deployed as a cluster across multiple server in a high availability environment, so we need to generate peer certificates to secure communication between different ETCD members in the cluster.
ETCD config requires the CA root certificate to verify the client connecting to ETCD are valid
KubeAPI server
Some common names given to kube-apiserver are:
kubernetes
kubernetes.default
kubernetes.default.svc
kubernetes.default.svc.cluster.local
By its IP address
To generate a certificate to the kube-apiserver
openssl genrsa -out apiserver.key 2048To consider all alternative names to offer flexibility in establishing connection to kube-apiserver, create an openssl.cnf file
Then pass it as a config when generating the certificate signing request
openssl req -new -key apiserver.key -subj "/CN=kube-apiserver" -out apiserver.csr -config openssl.cnfopenssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -out apiserver.crtSpecify these keys in the kube-apiserver service configuration
Kubelets
Certificates created for kubelet are named based on the node they are on.
We also mentioned a set of client certificates that will be used by kubelet to authenticate to kube-apiserver. The kube-apiserver needs to know which node is authenticating (use prefix of node name) to give it right set of permissions using the group.
Once certificates are generated they go to kubeconfig file.
View Certificate Details
To check certificate details, lets start with kube-apiserver as an example:
View the kube-apiserver static pod definition found in /etc/kubernetes/manifests/kube-apiserver/yaml
Then to inspect a certain certificate, use the openssl x509 command
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout
Certificate requirements are found in Kubernetes docs in details
When you run into issues, you want to start looking at the service logs:
kubectl logs etcd-masterSometimes if the core components such as kubeapi-server/etcd-server is down, kubectl won't function, so you need to go one level down to docker:
docker ps -a
docker logs <container-id>Lab:
I was asked to give the CN Name of kubeAPI server certificate, I chose the Issuer CN instead of the Subject CN which is wrong.
Most used command:
openssl x509 -in <cert-path> -text -noout # Get certificate informationChecking the certificate paths and its name if its correct or not, then check the static pod definition to fix the issue.
Utilize crictl to troubleshoot if kubectl is not working due to kube-apiserver or etcd server are down.
crictl ps -a # | grep kubeapi if needed
crictl logs <container-id>
It appeared to be the wrong path of --etcd-cafile, which must be /etc/kubernetes/pki/etcd/ca.crt
Certificates API
The CA is whatever server that has the key pairs which we can sign certificates with, in our case its the master node.
Whenever a certificate expires, we need to do same steps to re-generate them, this can be inefficient as we scale, so Kubernetes helps us by providing a certificate API.
Instead of manually entering the master node and signing the certificates ourselves, we could:
Create CertificateSigningRequest object
Review requests
Approve requests
Share certificates to users
Lets take an example:
A user creates a key and then generates a certificate signing request using the key with his name on it
Then users sends this request to the admin
Admin takes the key and creates a CertificateSigningRequest object using yaml definition
The request must be encoded with base64 before adding it to the request in definition yaml using cat jane.csr | base64
Once the object is created, admin can see it using
kubectl get csrAdmin can then approve the csr using
kubectl certificate approve janeAdmin then
kubectl get csr jane -o yamland decode it usingecho "encoded-cert>" | base64 -dand share it with the end user
Lab:
The main issue here is doing the CertificateSigningRequest object, specially that in docs it was given as a cat command.
Also when encoding the csr, by default base64 prints it line by line, to make it work use this command:
cat akshay.csr | base64 -w 0
Make sure to utilize dd for delete entire line and u for undo in vim, also to copy the whole base64 output with the "="
Kubeconfig
Kubeconfig is set by default in the $HOME/.kube/config directory and kubectl uses it without you specifying the config path with the command you enter.
To create a kubeconfig, it can be created using a pod definition yaml as shown below:
Regarding certificates, you must specify full path, also you could use certificate-authority-data instead to paste the base64 encoded certificate.
To view current context (The user and cluster you are using):
kubectl config current-contextTo view all the config:
kubectl config view
kubectl config view --kubeconfig=custom-configTo use another context:
kubectl config use-context prod-user@production # use new cluster and user
kubectl config use-context prod-user # use new user, samse cluster
kubectl config use-context production # use new cluster, same user
kubectl config -h # Additional commandsYou also can add a namespace in the context definition yaml, so you can switch to a new context with the namespace you added:
Lab:
The kubeconfig context definition in the yaml already have a name which specifies what cluster we must access and with what user, so if we want to change and use the research current context we should run:
kubectl config use-context research
API Groups
Core API Groups:
Named API groups:
You won't be allowed to curl like that, so you need to use your credentials as parameters to authenticate to the API
As an alternative, you could start a kubectl proxy that uses your credentials from kubeconfig and then curl localhost:8001
Key Takeaways
All resources in Kubernetes are grouped into different API groups
Authorization
There are different authorization mechanisms in Kubernetes:
Node Authorization
Attribute Based Authorization (ABAC)
Role Based Authorization (RBAC)
Webhook
Node Authorization
Node authorization is a special-purpose authorization mode that specifically authorizes API requests made by kubelets.
In Kubernetes Node Authorization, a "user" refers to a system component, such as a kubelet, rather than a human operator.
The kubelet acts on behalf of a node, making requests to the KubeAPI server. The Node Authorizer processes these requests, determining access based on the node's identity and the resources it needs.
Kubelets are registered as "users" within the SYSTEM:NODE group.
Each kubelet's username is prefixed with SYSTEM:NODE, distinguishing their identity for authorization purposes.
This framework ensures that kubelets requests are appropriately authorized by the node authorizer.
ABAC
ABAC is meant for external access to the kube-apiserver which are for instance admins/developers.
ABAC is to associate a user or a group of users a set of permissions by creating a permission file in a json format and passing it to the kube-apiserver:
Every time you need to add/change policies you must edit this policy file manually and restart kubeapi-server, which is not efficient and difficult to manage.
RBAC
Instead of directly assigning a policy to a user or group of users, we define a role (for developers in our case) and then assign all developers for this role.
So we only need to modify the role instead of modifying every single policy file.
Webhook
For outsourcing the authorization mechanism, we could use 3rd party tool like Open Policy Agent.
Kubernetes make an API call to Open Policy Agent with information about user and his access requirements and let Open Policy Agent decide if he's permitted or not.
Based on the Open Policy Agent response, the user is granted access.
Authorization Modes
The authorization mode is a configuration parameter option specified in the kube-apiserver configuration.
We didn't mention 2 Authorization mechanisms which are AlwaysAllow and AlwaysDeny
By default, the authorization mode is set to AlwaysAllow
When we specify more than one mechanism, they will get executed by order.
If Node authorizer fails to grant permission, it will move to RBAC, if RBAC grants the permission it returns to user and webhook authorization is not used.
Role Based Access Controls
We can create an RBAC using an object definition yaml:
Next step is to link user to that role, which we must create a Role Binding object definition:
To view all roles and role bindings:
kubectl get roles
kubectl get rolebindingsTo check our current access, we can run:
kubectl auth can-i create deployments
yes
kubectl auth can-i delete nodes
no
etc...If you're an admin and want to check your users permissions, you can:
kubectl auth can-i create deployments --as dev-user
no
kubectl auth can-i delete nodes --as dev-user --namespace test # In namespace test
yesLab:
When adding additional rules (specially different api groups such as apps, storage etc...)
To get all resources information which is so useful for RBAC:
kubectl api-resources # Utilize grep to look for certain resourcesCluster Roles & Role Bindings
There are two types of resources in kubernetes:
Namespaced: Within a namespace, usually kube-system for system components and default for normal resources such as pods, deployments.
Cluster Scoped: Within the whole cluster and they are not in a namespace.
To view all resources that are namespaced:
kubectl api-resources --namespaced=true # --namespaced=false if you want cluster scoped resourcesCluster Roles
They are regular roles but only for cluster scoped resources.
Lab:
Everything went well, the most useful thing I wasn't utilizing is:
kubectl api-resourcesAlso, make sure to check if the APIVERSION, if its v1 then in the definition yaml make sure the apiGroup: [""] is written like this, if its a deployment (apps) then apiGroup: ["apps]
Service Accounts
There are 2 types of accounts in kubernetes:
User accounts: Are used by humans, Administrators for management or developers for deploy an application
Service accounts: Are used by bots, for example Prometheus to gather metrics for alerts and visualize it on a dashboard by quertying the kube-apiserver (needs authentication)
To create service accounts:
kubectl create serviceaccount prometheus-sa
kubectl get serviceaccountThe token created by the service account is in fact a secret which can be viewed by running:
kubectl get secrets
kubectl describe secret prometheus-sa-tokenA new update to serviceaccounts was introduced which changed how it works, a TokenRequest API was introducted which now offers JWT expiration and other security enhancements, the old way of serviceaccounts tokens didn't have an expiration date and they were created automatically which is not the case now.
kubectl create serviceaccount prometheus-saAnd to create a token as its not generated automatically:
kubectl create token prometheus-saAlthough post v1.24 you can still create a non-expiry token using a secret object definition, but this is not recommended at all and if you did it, make sure to create the service account first.
Lab:
I had to concentrate on how to include a serviceaccount in a deployment definition:
Also, I could have used:
kubectl set serviceaccount deployment web-dashboard dashboard-saImage Security
When specifying images in pod object definition yaml such as image: nginx it is in fact like this behind the scenes:
image: nginx it is in fact like this behind the scenes:
You may have your own set of images that are stored in your private repository, whether its docker hub, ECR or other registries.
When an image is private and you want to pull it, you must authenticate to the registry first, this can be done in kubernetes as follows:
We create a secret object with our registry URL, username and password
kubectl create secret docker-registry regcred --docker-server private-registry.io --docker-username registry-user --docker-password registry-password --docker-email register-user@org.comThen we specify the private image URL and the secret so kubelet on worker nodes can use this secret to pull your private image
Lab (Review):
The most critical mistake I did is thinking that the imagePullSecrets is under containers: and its not correct, it must be under spec:
Security Context
Containers aren't fully isolated like virtual machines, they share same kernel with host.
Containers are in their own namespaces and they can't see anything outside this namespace.
By default, docker runs processes as root user, if you want to change the user from root to a normal user:
docker run --user=1000 ubuntu sleep 60Or you can specify the user ID within the docker image itself
Docker limits some of these capabilities by default, although you can add or drop capabilities:
docker run --cap-add NET_BIND ubuntu # Add NET_BIND capability
docker run --cap-drop NET_BIND ubuntu # Remove NET_BIND capability
docker run --priviliged ubuntu # Include all capabilitiesYou can configure all of these at a pod-level in an object definition yaml within kubernetes using securityContext
At a pod level:
At a container level:
Capabilities are only supported at the container level and not at the pod level
Lab:
There was a syntax issue and I faced a problem where I edited the pod and made sure I added the securityContext but whenever I created it, it was created without security context, so I had to delete it and do another pod with the requirements.
Useful commands that must be used:
kubectl delete pod ubuntu-sleeper --force
kubectl create pod ubuntu-sleeper.yamlkubectl apply caused problems, specially when dealing with pods, so lets move to kubectl create if problems were faced with apply
Also, It's important to note the difference between pod level and container level, pod level is under spec: and above containers:, container level is under containers:
Container level securityContext overrides pod level securityContext
Network Policy
Let's say we have:
Web Frontend Pod
Backend Pod
DB Pod
And we are required to create a network policy for the DB Pod to allow only Ingress traffic from the Backend pod at port 3306.
Now, DB pod only allow ingress traffic from the backend pod on port 3306 and blocks all others.
To create a network policy:
Create a label and a selector in the DB pod
Create the policy rule
Create the policy object definition and pass both label, selector and the policy rule
In the policy type we defined Ingress type only, so egress is not affected and its by default allowing all egress traffic. If needed add egress rule too.
Also If you want to include same pods ingress rule in different namespaces, you can add a namepsaceSelector:
namepsaceSelector:
If we add a -namespaceSelector and make it under the from: it will be 2 rules not connected together (api-pod is allowed from anywhere, all pods in namespace prod are allowed), in the given example above it means that pod must be api-pod and in prod namespace
This will allow all pods named api-pod in the prod namespace to access the DB at port 3306, if we removed the api-pod then it will allow all pods within the prod namespace.
If you want to allow certain IP addresses traffic, you could specify an ipBlock:
ipBlock:
Also, we could specify an agress rules as follows:
This will allow all traffic at port 80 originating from the DB pod to the backup server at the CIDR block addresses given.
Lab:
I must change the matchLabels: role:db to the label in the pod that I want to write the policy for:
matchLabels: role:db to the label in the pod that I want to write the policy for:
Here is my final policy:
And here is how the k8s docs helped:
Kubectx & Kubens
Kubectx
With this tool, you don't have to make use of lengthy “kubectl config” commands to switch between contexts. This tool is particularly useful to switch context between clusters in a multi-cluster environment.
Installation:
sudo git clone https://github.com/ahmetb/kubectx /opt/kubectxsudo ln -s /opt/kubectx/kubectx /usr/local/bin/kubectxSyntax:
To list all contexts:
kubectx
To switch to a new context:
kubectx <context_name>
To switch back to previous context:
kubectx -
To see current context:
kubectx -c
Kubens
This tool allows users to switch between namespaces quickly with a simple command.
Installation:
sudo git clone https://github.com/ahmetb/kubectx /opt/kubectxsudo ln -s /opt/kubectx/kubens /usr/local/bin/kubensSyntax:
To switch to a new namespace:
kubens <new_namespace>
To switch back to previous namespace:
kubens -
Slides
Last updated