쿠버4탄-11. K8S- 보안 , 종료
11/11
본 내용은 CloudNet 에서 진행하는 주말 스터디에 참여하여 해당 내용을 참고로 작성되었습니다.
https://gasidaseo.notion.site/gasidaseo/CloudNet-Blog-c9dfa44a27ff431dafdd2edacc8a1863
<1> polaris 보안 점검툴
<2> 조치
<3> 보안 위배시 배포 안되는거 확인 하기
<4> CLI로 polaris 사용 가능
<5> 정리
<1> polaris 보안 점검툴
1
소개 및 설치 : 오픈소스 보안 점검 도구, Polaris is an open source policy engine for Kubernetes that validates and remediates resource configuration
https://artifacthub.io/packages/helm/fairwinds-stable/polaris
2
# 설치
kubectl create ns polaris
#
cat <<EOT > polaris-values.yaml
dashboard:
replicas: 1
service:
type: LoadBalancer
EOT
# 배포
helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm install polaris fairwinds-stable/polaris --namespace polaris --version 5.7.2 -f polaris-values.yaml
# CLB에 ExternanDNS 로 도메인 연결
kubectl annotate service polaris-dashboard "external-dns.alpha.kubernetes.io/hostname=polaris.$KOPS_CLUSTER_NAME" -n polaris
# 웹 접속 주소 확인 및 접속
echo -e "Polaris Web URL = http://polaris.$KOPS_CLUSTER_NAME"
----------------------------------
polaris.masterseo1.link
(10분 걸림)
3
https://polaris.docs.fairwinds.com/checks/security/
https://polaris.docs.fairwinds.com/checks/efficiency/
https://polaris.docs.fairwinds.com/checks/reliability/
https://polaris.docs.fairwinds.com/checks/reliability/
검사항목 상세
https://github.com/FairwindsOps/polaris/tree/master/checks
<2> 조치
https://hub.docker.com/r/nicolaka/netshoot/tags
# 기존 netshoot-pod 삭제
kubectl delete deploy netshoot-pod
# netshoot-pod 1대 생성
cat <<EOF | kubectl create -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: netshoot-pod
spec:
replicas: 1
selector:
matchLabels:
app: netshoot-pod
template:
metadata:
labels:
app: netshoot-pod
spec:
containers:
- name: netshoot-pod
image: nicolaka/netshoot:v0.9
command: ["tail"]
args: ["-f", "/dev/null"]
terminationGracePeriodSeconds: 0
EOF
3
2개로 조치해야 함.
2개로 변경
#
kubectl scale deployment netshoot-pod --replicas 2
책 참고해보자!!
4
netshoot-pod 에 보안 모범 사례 적용
# 삭제
kubectl delete deploy netshoot-pod
# netshoot-pod 생성
cat <<EOF | kubectl create -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: netshoot-pod
spec:
replicas: 2
selector:
matchLabels:
app: netshoot-pod
template:
metadata:
labels:
app: netshoot-pod
spec:
containers:
- name: netshoot-pod
image: nicolaka/netshoot:v0.9
command: ["tail"]
args: ["-f", "/dev/null"]
imagePullPolicy: Always
resources:
limits:
cpu: 150m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
#runAsNonRoot: true
terminationGracePeriodSeconds: 0
EOF
5
삭제
kubectl delete deploy netshoot-pod
<3> 보안 위배시 배포 안되는거 확인 하기
1
webhook 활성화 후 테스트
https://polaris.docs.fairwinds.com/infrastructure-as-code/
2
모니터링
3
# webhook 활성화 적용 = 보안 위배 됨
helm upgrade polaris fairwinds-stable/polaris --namespace polaris --version 5.7.2 --reuse-values --set webhook.enable=true
kubectl get pod,svc -n polaris
4
취약한 파드 배포 시도
=> 배포 안됨
# netshoot-pod 1대 생성
cat <<EOF | kubectl create -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: netshoot-pod
spec:
replicas: 1
selector:
matchLabels:
app: netshoot-pod
template:
metadata:
labels:
app: netshoot-pod
spec:
containers:
- name: netshoot-pod
image: nicolaka/netshoot
command: ["tail"]
args: ["-f", "/dev/null"]
terminationGracePeriodSeconds: 0
EOF
<4> CLI로 polaris 사용 가능
https://polaris.docs.fairwinds.com/infrastructure-as-code/
1
# 다운로드
wget https://github.com/FairwindsOps/polaris/releases/download/7.3.2/polaris_linux_amd64.tar.gz
tar zxvf polaris_linux_amd64.tar.gz
mv polaris /usr/local/bin
polaris audit --help
2
# 마리오 파드 yaml 점검
polaris audit --audit-path ~/pkos/1/mario.yaml --format=pretty
3
점검 결과.
4
깃허브 action에서 Polaris 실행
https://polaris.docs.fairwinds.com/infrastructure-as-code/#running-in-a-ci-pipeline
5
helm uninstall -n polaris polaris
// 폴라리스 삭제
6
클러스터 삭제
kops delete cluster --yes && aws cloudformation delete-stack --stack-name mykops
<5> 정리
polaris 보안 점검툴 사용해보자
조치해보자
CLI로 polaris 사용 가능
전체 보기
https://brunch.co.kr/@topasvga/3144
감사합니다.
