Kubernetes Cluster Security Primitives - Managing Master Node from Workstation
We will create a workstation for you to administer your cluster without logging in to the Kubernetes master server.
List the service accounts in your cluster:
Master Node:
------------
[root@centos7 ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.2.130:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@centos7 ~]#
[root@centos7 ~]# cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01EWXdOREF3TWprMU4xb1hEVE13TURZd01qQXdNamsxTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTHlKCjZLY0N6QktJUEczb2trSXk0RGF2OUJZc0ZEd3UxR2dmZmZXVnFyWENieU5wbUFmOFF0SkhRMGRjV2FNWGYrU1cKT1RtenJxekdlM1l4YU5DWU8yQW1ENHNDbTd6emE3SlMxcExtNjJkZmhCRUlRcU1RUE40SzY5L1RiLzJzd2VrTwo2emNJMUtCY3JZVEFsbnRvWXlmc2JiK1BuWmJhc2g2QWdQMjA2VjlnUzM4dDJPMXdVcmtKZEhQSmlKdXF2TmpWCmZDd1dsSEthU0x1OGhBM1VWeHdMQ001dnBodVdDa0tOQ3RGU3QrNHRsQjdyaGE3cThCS3dJMTBMUldxMU9uVTYKc0VyM3NEZE16eGsrclAxTHk1UlMzUk1nN0VFV3NMRDIrWkFCYStieWpJRjZTYWhKUG8xVTBuNUlnYUgwNS9wYwozUWJNdm16Y240ZGhQWnBrb3pVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCUzlhcE9pakV6RERUcU00b2JJb2ZLMkdVckYKYmx4U2ZwUEJnYzlWa3lEZk9pQTZLUzBLeUx2d292TlUrbmZlZ09kdnRVVTRLajdDWk01U2dVY2ZrWnlJeElVVApuNnkzTXd0RjFqZzJUYk5TbE5wY3pMNHJaNmRBaFpRYXp2R01vb2t6TXNKUnhNWjVjT1JrYkJOdHRIbmVWTWRJCkVNMFB4MVRmeTdSdkhGTXVVN0lqSzhuT2FsbXlCZXRRRThFanN3SmYwclpOYmlPUExQbWpyYktyWWtCd3hKT0MKUEtxcXUvMG9sbEVvaVpHYi9TZ0lObUVaWmRJaUIxd25RbDlFcGdhVGJoOHllcUg5QWx2WHhZRjhzRkJGcFVpZgpGQSs2bk5Cd0tMZHlMbmhBTy9MN2MrRktmT01kM1VZbG9ZVWdheWpIV2pTQlNTUFdPc1hqS2NqeXJlcz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://192.168.2.130:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJWVhBNW9oWWJnbWN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TURBMk1EUXdNREk1TlRkYUZ3MHlNVEEyTURRd01ETXdNRE5hTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXNWMW9qRmEyVGcvanVKb2sKZjBUZ0FGUFhYUEI5eUdwOTFDWWluRUFiVzBsa20vTTF3KzkwUVcvaHFKdmVwZENkNk9yYWk1WURUbmZhVGF2UQp0aHVKNUp3REF0N1kyQXpGaFJQR2xVVjJzWUpPd2xXNkNZNTQ4Y3V3Q2pPRGVDTDlXc09tcFVDZlI2T0psOVlCCitMWnlxcTFlWHc2ZExoVmFseTl4OFBUcFI1OGovamEyVGdPSTF5UEZDUmNhYy8vakhiZDhkMzd4b1hxQjAwY2kKRW12ZXBVSWhyOUp6bTdmRDNnRW5YaWF4UUxBSkhyUE9mTDQ1aWMzeERuUzFmYmp6anpjS1lNcUFPWDNEdld6QQpDdVdWZWNoZGZ0WVdNTkFVN0RZbW5MZlJscU4wYjU0em04R3IvMFJhUnNTL0ZVdHVQQi9JK3dxeFB2dFQwMWtkCjJvaFhvUUlEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBdGNPNnRTTkNMRWs3UEtqclQ1RnpaYVVnQlg5bTlSZnVoSQp3WVM3YTZTeHhxRDNmWWFYU0g2NU9PdzllVUYwcGRYWFlTV3NZZHVGc2NmekJseG5mcTJuam05RzVkdC9jMVdSClZUZzZKZmNuMTBxaXlCeHlyNWgzOEUwQjMzV2FLV0ljbjZUUjE1bFprTVJKb0tYSHVBTmFtejUxSkNHSDBIUXoKSFVhV09YSTZwUnJIM0J6Z0ZLZjFkcUpjbEt5b2h5V2ZST3NIZGJKb3E3YnpPMjV0U21XVVJ3NDVHZmJNaGhiMgplZWQwL2tvTFpxZ2tGTExDM04vS3U4QUsxUkpDcGUvTnl4bDYzMldESi8rRktrNTJ3RHZ1OEJ2d2RRNjlJZ1JjCm1QcE5BNTN1M0puTEp4aXkxYlhRNFVZaWpyRkh3c1Q3SDc1bkJQcXJ5OVp2djhkbGZ0RT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBc1Yxb2pGYTJUZy9qdUpva2YwVGdBRlBYWFBCOXlHcDkxQ1lpbkVBYlcwbGttL00xCncrOTBRVy9ocUp2ZXBkQ2Q2T3JhaTVZRFRuZmFUYXZRdGh1SjVKd0RBdDdZMkF6RmhSUEdsVVYyc1lKT3dsVzYKQ1k1NDhjdXdDak9EZUNMOVdzT21wVUNmUjZPSmw5WUIrTFp5cXExZVh3NmRMaFZhbHk5eDhQVHBSNThqL2phMgpUZ09JMXlQRkNSY2FjLy9qSGJkOGQzN3hvWHFCMDBjaUVtdmVwVUlocjlKem03ZkQzZ0VuWGlheFFMQUpIclBPCmZMNDVpYzN4RG5TMWZianpqemNLWU1xQU9YM0R2V3pBQ3VXVmVjaGRmdFlXTU5BVTdEWW1uTGZSbHFOMGI1NHoKbThHci8wUmFSc1MvRlV0dVBCL0krd3F4UHZ0VDAxa2Qyb2hYb1FJREFRQUJBb0lCQVFDd1Y0V2wybVRCTWkwZwpFaWx0WEFZMmJTVjNveWY4Qmx6NmU3djNqQWxtOW82UU92eGV4WW5ac2Fvem9GMTZrUE1mYTdsRUJTOWVhZTFqClFndHRzKzJpbkxhbHVQanh2YWo0aWRQci83ZGwvMy9jMmF6dzZYVTRPbUxaa2FRSjR3ZndvUXZqeTE5UnM3Z08KZlZsU2RkdUY5SDhhbFlZVEZtb09YTDYxYWxzeHQ5RXRDclF6UXluR0RvQlJ1RVYva2VBeCs3SVExZXJoclVZZgpvUk1pbFpwR3kvRlYxTnY4OTJvUGtTNlpWREowaTh5RG1UbC9ERkxobk5VS1VnSm1sZ2J4a1RHWXg1T2tjdTRxCmtPRUFuNzFydkZrQndweW1LaWJ6R2orWHYxd0xtWGc2V2RnU3dkTlVXUUk2Vnc3VmdwaC93T3lVWFF5RTMxekIKV0ZxRXVPR2RBb0dCQU5NQ01hVGN4ZURRU21qdldlQWlzWHRkS0dQbFhDUGk3TitEMW05SVFvYVVlVElYZm52OAp0bXR6cmhwT2o2Unl6emM2Z2Y0QVN6RkdJb09DOTU2bnd4TjV6c0pkL0hxOEgvWEZBSk5WNTdPcVpwNEd2VURlCnBSS2w2YW1GenFENGs3UU5YNy8vcFFyVlNvS2VSbzlLbkhMYzZFZmVyUERWM2xjVmxab1YyTHMzQW9HQkFOY3UKeWZRbElUVVlYK1RZNWlaZEZGNkZHcVlJN3NSbE1PRHB1cmNHdmRIYnZwdEFXRFFLSjd6dFhNZzV0VWVKb1E3dQpzSWdBYnBQR0x1cUhaUUtucFQzTzFqZSs0TkMrcW1VbGpwalV0OXltVG4xZHBFRTdUb3A4bzFCQjVJajROd0JiCm9xVzlWYWdPOUxhSFd4bnk4dGxPczhMRHc2U1VOSkRXSmxGb2NsL25Bb0dBWkM4S2V3Z0hPM0lwb2lEaVB6UzUKcDZUWFpIYWxoTFJkV3RJeG9heGhTWng4M25laEtpVVdSM1lwRjN4dFh0clQzNWo3MXlrMGlqU09kbnBjTHd2Zgo1d05TVTU1a0hiSHNTcmc2U2JuanhMNEc4c2lvV29CYlI3dFdjWktDUkpOQkxaK2I4b0RpVDM1dFhnN2YyWERIClR4SHJoeFFHY0dKYXFtWXBIWHQ1NTRrQ2dZQnBCTlBaalBsOUFVMWowaHZaSTFwYW14bWJhUWFtNFVBT3RPUEUKaWN6QWpEK2xZNnpva1FBOTY1WjV2ZmhrVnA0OVBHNzVvVVJXYU1YaS9udGs1VTczTUdoS1FxVlVHNG5yM1gyUAp4MW1JbmIzMjMyblgwRXNQdWE2Mjc4SEt1MkdVa2lSNlFVSjV4L3JVenBDK3hGeVRoQjZsY29lY1hoeWRoM2FpCkNwaXZod0tCZ1FDNCtEWE9IcERWSi9lM2NRNThsZDh4TmNNQmFzeGs4YWxZM2NNOWh6dTYxTDRCSjRydVp4THYKalphN2tYWTBEUGkvdEhsQ0ZYTTFsbTJCVlBhUklSU2pBdExmRDYxeTVOMzJaL0NaTHhJem04SVZsVFVGekZVawpkOFM4UHk1ak16UjRpS3IvSTFBTjJnZlkzQlBEZzMrUndKV2xmZHg0NGNjOWhNNXhJeXovc0E9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
[root@centos7 ~]#
[root@centos7 ~]# kubectl config set-credentials admin --username=admin --password=password
User "admin" set.
[root@centos7 ~]#
[root@centos7 ~]# kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous
clusterrolebinding.rbac.authorization.k8s.io/cluster-system-anonymous created
[root@centos7 ~]#
[root@centos7 ~]# cd /etc/kubernetes/pki/
[root@centos7 pki]#
[root@centos7 pki]# ls -lrth
total 56K
-rw------- 1 root root 1.7K Jun 3 19:29 ca.key
-rw-r--r-- 1 root root 1.1K Jun 3 19:29 ca.crt
-rw------- 1 root root 1.7K Jun 3 19:29 apiserver.key
-rw-r--r-- 1 root root 1.2K Jun 3 19:29 apiserver.crt
-rw------- 1 root root 1.7K Jun 3 19:29 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1.1K Jun 3 19:29 apiserver-kubelet-client.crt
-rw------- 1 root root 1.7K Jun 3 19:29 front-proxy-ca.key
-rw-r--r-- 1 root root 1.1K Jun 3 19:29 front-proxy-ca.crt
-rw------- 1 root root 1.7K Jun 3 19:29 front-proxy-client.key
-rw-r--r-- 1 root root 1.1K Jun 3 19:29 front-proxy-client.crt
drwxr-xr-x 2 root root 162 Jun 3 19:30 etcd
-rw------- 1 root root 1.7K Jun 3 19:30 apiserver-etcd-client.key
-rw-r--r-- 1 root root 1.1K Jun 3 19:30 apiserver-etcd-client.crt
-rw------- 1 root root 451 Jun 3 19:30 sa.pub
-rw------- 1 root root 1.7K Jun 3 19:30 sa.key
[root@centos7 pki]#
Copy to WorkStation (192.168.2.133)
-------------------------------------
[root@centos7 pki]# scp ca.crt admin@192.168.2.133:~/
The authenticity of host '192.168.2.133 (192.168.2.133)' can't be established.
ECDSA key fingerprint is SHA256:uImodzAY8g3iu7IcbnQhbNo1J5WFZZciTDzWqmi5d08.
ECDSA key fingerprint is MD5:02:7d:55:43:91:99:3a:d5:06:68:25:28:9e:db:05:66.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.133' (ECDSA) to the list of known hosts.
admin@192.168.2.133's password:
ca.crt 100% 1025 593.6KB/s 00:00
[root@centos7 pki]#
Login to WorkStation (192.168.2.133) and Install Kubectl software
-------------------------------------------------------------------
[root@centos7-ws ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.2.133 centos7-ws.localdomain centos7-ws
192.168.2.130 centos7.localdomain centos7
[root@centos7-ws ~]#
[root@centos7-ws ~]# setenforce 0
[root@centos7-ws ~]# sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
[root@centos7-ws ~]# firewall-cmd --state
not running
[root@centos7-ws ~]# modprobe br_netfilter
[root@centos7-ws ~]# echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables
[root@centos7-ws ~]# cat < /etc/yum.repos.d/kubernetes.repo
> [kubernetes]
> name=Kubernetes
> baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
> enabled=1
> gpgcheck=1
> repo_gpgcheck=1
> gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
> https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
> EOF
[root@centos7-ws ~]#
[root@centos7-ws ~]# yum install -y kubectl
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.steadfastnet.com
* extras: mirror.dal.nexril.net
* updates: repos-tx.psychz.net
kubernetes/signature | 454 B 00:00:00
Retrieving key from https://packages.cloud.google.com/yum/doc/yum-key.gpg
Importing GPG key 0xA7317B0F:
Userid : "Google Cloud Packages Automatic Signing Key "
Fingerprint: d0bc 747f d8ca f711 7500 d6fa 3746 c208 a731 7b0f
From : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Retrieving key from https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
kubernetes/signature | 1.4 kB 00:00:00 !!!
kubernetes/primary | 69 kB 00:00:00
kubernetes 505/505
Resolving Dependencies
--> Running transaction check
---> Package kubectl.x86_64 0:1.18.3-0 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================================================
Installing:
kubectl x86_64 1.18.3-0 kubernetes 9.5 M
Transaction Summary
========================================================================================================================================================================
Install 1 Package
Total download size: 9.5 M
Installed size: 42 M
Downloading packages:
warning: /var/cache/yum/x86_64/7/kubernetes/packages/cd5d6980c3e1b15de222db08729eff40f7031b7fa56c71ae3e28e420ba9678cd-kubectl-1.18.3-0.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID 3e1ba8d5: NOKEY
Public key for cd5d6980c3e1b15de222db08729eff40f7031b7fa56c71ae3e28e420ba9678cd-kubectl-1.18.3-0.x86_64.rpm is not installed
cd5d6980c3e1b15de222db08729eff40f7031b7fa56c71ae3e28e420ba9678cd-kubectl-1.18.3-0.x86_64.rpm | 9.5 MB 00:00:05
Retrieving key from https://packages.cloud.google.com/yum/doc/yum-key.gpg
Importing GPG key 0xA7317B0F:
Userid : "Google Cloud Packages Automatic Signing Key "
Fingerprint: d0bc 747f d8ca f711 7500 d6fa 3746 c208 a731 7b0f
From : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Retrieving key from https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
Importing GPG key 0x3E1BA8D5:
Userid : "Google Cloud Packages RPM Signing Key "
Fingerprint: 3749 e1ba 95a8 6ce0 5454 6ed2 f09c 394c 3e1b a8d5
From : https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : kubectl-1.18.3-0.x86_64 1/1
Verifying : kubectl-1.18.3-0.x86_64 1/1
Installed:
kubectl.x86_64 0:1.18.3-0
Complete!
[root@centos7-ws ~]# su - admin
[admin@centos7-ws ~]$ ls -lrth
total 4.0K
-rw-r--r--. 1 admin admin 1.1K Jun 5 12:47 ca.crt
[admin@centos7-ws ~]$
Check the Kubectl version:
--------------------------
[admin@centos7-ws ~]$ kubectl version
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-20T12:52:00Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
The connection to the server localhost:8080 was refused - did you specify the right host or port?
[admin@centos7-ws ~]$
[admin@centos7-ws ~]$ kubectl config set-cluster kubernetes --server=https://192.168.2.130:6443 --certificate-authority=ca.crt --embed-certs=true
Cluster "kubernetes" set.
[admin@centos7-ws ~]$
[admin@centos7-ws ~]$ kubectl config set-credentials admin --username=admin --password=password
User "admin" set.
[admin@centos7-ws ~]$
[admin@centos7-ws ~]$ kubectl config set-context kubernetes --cluster=kubernetes --user=admin --namespace=default
Context "kubernetes" created.
[admin@centos7-ws ~]$
[admin@centos7-ws ~]$ kubectl config use-context kubernetes
Switched to context "kubernetes".
[admin@centos7-ws ~]$
Check the Kubernetes Cluster:
-----------------------------
[admin@centos7-ws ~]$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
centos7 Ready master 40h v1.18.3
centos7-w1 Ready 40h v1.18.3
centos7-w2 Ready 40h v1.18.3
[admin@centos7-ws ~]$
[admin@centos7-ws ~]$ kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
centos7 Ready master 40h v1.18.3 192.168.2.130 CentOS Linux 7 (Core) 3.10.0-1062.el7.x86_64 docker://19.3.11
centos7-w1 Ready 40h v1.18.3 192.168.2.131 CentOS Linux 7 (Core) 3.10.0-1062.el7.x86_64 docker://19.3.11
centos7-w2 Ready 40h v1.18.3 192.168.2.132 CentOS Linux 7 (Core) 3.10.0-1062.el7.x86_64 docker://19.3.11
[admin@centos7-ws ~]$
[admin@centos7-ws ~]$ kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
busybox 1/1 Running 0 24m 10.244.2.52 centos7-w2
kubeserve-6b65f9d76d-9k8jf 1/1 Running 1 11h 10.244.2.50 centos7-w2
kubeserve-6b65f9d76d-hjvq7 1/1 Running 1 11h 10.244.1.48 centos7-w1
kubeserve-6b65f9d76d-lr6qp 1/1 Running 1 11h 10.244.2.47 centos7-w2
myreplicaset-66h6j 1/1 Running 1 11h 10.244.2.51 centos7-w2
myreplicaset-jllkz 1/1 Running 1 11h 10.244.2.49 centos7-w2
myreplicaset-qktmw 1/1 Running 1 11h 10.244.1.50 centos7-w1
nginx-f89759699-85wrf 1/1 Running 1 11h 10.244.2.48 centos7-w2
nginx-f89759699-dbht5 1/1 Running 1 11h 10.244.1.55 centos7-w1
pref-646c88c576-5tzfc 1/1 Running 1 11h 10.244.1.54 centos7-w1
pref-646c88c576-fgl8h 1/1 Running 1 11h 10.244.1.52 centos7-w1
pref-646c88c576-nxjmw 1/1 Running 1 11h 10.244.1.51 centos7-w1
pref-646c88c576-wr8vw 1/1 Running 1 11h 10.244.1.49 centos7-w1
pref-646c88c576-x6vrp 1/1 Running 1 11h 10.244.1.53 centos7-w1
web-0 0/1 Pending 0 15h
[admin@centos7-ws ~]$
Saturday, June 6, 2020
Kubernetes Cluster Security Primitives - Managing Master Node from Workstation
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment