kubernetes-security

问题 I couldn't find any information on wherever a connection creation between cluster's pod and locahost is encrypted when running "kubectl port-forward" command. It seems like it uses "socat" library which supports encryption, but I'm not sure if kubernetes actually uses it. 回答1: As far as I know when you port-forward the port of choice to your machine kubectl connects to one of the masters of your cluster so yes, normally communication is encrypted. How your master communicate to the pod though

问题 I couldn't find any information on wherever a connection creation between cluster's pod and locahost is encrypted when running "kubectl port-forward" command. It seems like it uses "socat" library which supports encryption, but I'm not sure if kubernetes actually uses it. 回答1: As far as I know when you port-forward the port of choice to your machine kubectl connects to one of the masters of your cluster so yes, normally communication is encrypted. How your master communicate to the pod though

问题 kubernetes PodSecurityPolicy set to runAsNonRoot, pods are not getting started post that Getting error Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root We are creating the user (appuser) uid -> 999 and group (appgroup) gid -> 999 in the docker container, and we are starting the container with that user. But the pod creating is throwing error. Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 53s

问题 kubernetes PodSecurityPolicy set to runAsNonRoot, pods are not getting started post that Getting error Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root We are creating the user (appuser) uid -> 999 and group (appgroup) gid -> 999 in the docker container, and we are starting the container with that user. But the pod creating is throwing error. Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 53s

问题 After upgrading my cluster in GKE the dashboard will no longer accept certificate authentication. No problem there's a token available in the .kube/config says my colleague user: auth-provider: config: access-token: REDACTED cmd-args: config config-helper --format=json cmd-path: /home/user/workspace/google-cloud-sdk/bin/gcloud expiry: 2018-01-09T08:59:18Z expiry-key: '{.credential.token_expiry}' token-key: '{.credential.access_token}' name: gcp Except in my case there isn't... user: auth

问题 I have created a kubernetes cluster on aws using kops . Unless I am wrong, the ca.crt and ca.key files are in the following locations as indicated by this very helpful answer: - s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/private/ca/*.key - s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/issued/ca/*.crt However, I coulnd't help noticing that in my ~/.kube/config file (which was created automatically by kops ), I have an entry named: certificate-authority-data whose contents are different than both of the

问题 Is it possible to have a restricted Kubernetes dashboard? The idea is to have a pod running kubectl proxy in the cluster (protected with basic HTTP authentication) to get a quick overview of the status: Log output of the pods Running services and pods Current CPU/memory usage However, I do not want users to be able to do "privileged" actions, like creating new pods, deleting pods or accessing secrets. Is there some option to start the dashboard with a specified user or with restricted

问题 I am trying to configure Kubernetes RBAC in the least-permissive way possible and I want to scope my roles to specific resources and subresouces. I've dug through the docs and can't find a concise list of resources and their subresources. I'm particularly interested in a the subresource that governs a part of a Deployment's spec--the container image. 回答1: Using kubectl api-resources -o wide shows all the ressources , verbs and associated API-group . $ kubectl api-resources -o wide NAME

问题 I am trying to configure Kubernetes RBAC in the least-permissive way possible and I want to scope my roles to specific resources and subresouces. I've dug through the docs and can't find a concise list of resources and their subresources. I'm particularly interested in a the subresource that governs a part of a Deployment's spec--the container image. 回答1: Using kubectl api-resources -o wide shows all the ressources , verbs and associated API-group . $ kubectl api-resources -o wide NAME

问题 I have a mongo database in the gce . (config see below) when i deploy it to a 1.7.12-gke.1 everything works fine. Which means the sidecar resolves the pods and links then now when i deploy the same konfiguration to 1.8.7-gke.1 resultes in missing permissions to list pods see below. I don't get the point what has changed . I assume i need to assign specific permissions to the user account is that right ? What am I missing? Error log message: 'pods is forbidden: User "system:serviceaccount