39탄-1. EKS 기초- 보안 - 2023
EKS 보안 Workshop
https://www.eksworkshop.com/docs/security/
목표
명령서버 cloud9 서버 1대 만들기
eks 클러스터 생성하기
<1> EKS를 만들기위한 명령서버인 Cloud9 생성하기
<2> EKS 클러스터 생성하기
<3> 모든 실습이 완료되면 삭제하기 (지금 삭제하지 마세요^^)
<4> EKS Workshop Sample 사용
<5> EKS Security 사용
<6> Pod Security Standards - Privileged PSS profile
<1> EKS를 만들기위한 명령서버인 Cloud9 생성하기
cloudformation으로 만든다. (콘솔로 만들어도 된다.)
1
디폴트 VPC가 있어야 한다.
2
AWS 콘솔 로그인
오른쪽 위 cloud shell 실행
3
wget -q https://raw.githubusercontent.com/aws-samples/eks-workshop-v2/stable/lab/cfn/eks-workshop-ide-cfn.yaml -O eks-workshop-ide-cfn.yaml
aws cloudformation deploy --stack-name eks-workshop-ide --template-file ./eks-workshop-ide-cfn.yaml --parameter-overrides RepositoryRef=stable EksWorkshopC9InstanceType=t3.medium --capabilities CAPABILITY_NAMED_IAM
Ask before pasting multiline code
체크 해제
(5분 걸림)
타이머
https://vclock.kr/timer/#countdown=00:10:00&enabled=0&seconds=0&sound=xylophone&loop=1
wget으로 받은 yaml file
4
aws cloudformation describe-stacks --stack-name eks-workshop-ide --query 'Stacks[0].Outputs[?OutputKey==`Cloud9Url`].OutputValue' --output text
url 확인 웹 접속 (콘솔로 cloud9가서 접속 해도 된다.)
위 명령어들 모음
<2> EKS 클러스터 생성하기
1
cloud9 접속해 eks 클러스터 생성하기
export EKS_CLUSTER_NAME=eks-workshop
curl -fsSL https://raw.githubusercontent.com/aws-samples/eks-workshop-v2/stable/cluster/eksctl/cluster.yaml | envsubst | eksctl create cluster -f -
(20분 걸림)
타이머
kubectl get nodes
use-cluster $EKS_CLUSTER_NAME
<3> 모든 실습이 완료되면 삭제하기 (지금 삭제하지 마세요^^)
delete-environment
eksctl delete cluster $EKS_CLUSTER_NAME --wait
aws cloudformation delete-stack --stack-name eks-workshop-ide
<4> EKS Workshop Sample 사용
쇼핑카트 마이크로 서비스가 배포되어 있는 상태이다.
https://www.eksworkshop.com/docs/introduction/getting-started/about
<5> EKS Security 사용
https://www.eksworkshop.com/docs/security/
1
파드가 권한이 필요하다. = IRSA 사용한다.
use-cluster $EKS_CLUSTER_NAME
환경 설정을 한다.
EKS Workshop Sample 사용
2
https://www.eksworkshop.com/docs/security/iam-roles-for-service-accounts/using-dynamo
로컬 다이나모 디비 대신 AWS 다이나모 디비로 변경하려 한다.
확인
kubectl -n carts get -o yaml cm carts
<6> Pod Security Standards - Privileged PSS profile
디폴트 사용 = ROOT 로 사용 = 보안에 취약
ec2-user:~/environment $ kubectl get ns
NAME STATUS AGE
assets Active 30m
carts Active 30m
catalog Active 30m
checkout Active 30m
default Active 42m
kube-node-lease Active 42m
kube-public Active 42m
kube-system Active 42m
orders Active 30m
other Active 12m
rabbitmq Active 30m
ui Active 30m
ec2-user:~/environment $ kubectl -n assets get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
assets 1/1 1 1 30m
ec2-user:~/environment $ kubectl -n assets get deployment assets -o yaml | yq '.spec.template.spec'
containers:
- envFrom:
- configMapRef:
name: assets
image: public.ecr.aws/aws-containers/retail-store-sample-assets:0.4.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /health.html
port: 8080
scheme: HTTP
periodSeconds: 3
successThreshold: 1
timeoutSeconds: 1
name: assets
ports:
- containerPort: 8080
name: http
protocol: TCP
resources:
limits:
memory: 128Mi
requests:
cpu: 128m
memory: 128Mi
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: false
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /tmp
name: tmp-volume
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: assets
serviceAccountName: assets
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
medium: Memory
name: tmp-volume
ec2-user:~/environment $
V
ec2-user:~/environment $ kubectl apply -k ~/environment/eks-workshop/modules/security/pss-psa/privileged-workload
namespace/assets unchanged
serviceaccount/assets unchanged
configmap/assets unchanged
service/assets unchanged
deployment.apps/assets configured
ec2-user:~/environment $ kubectl -n assets get pod
NAME READY STATUS RESTARTS AGE
assets-78666574f6-7hft5 1/1 Running 0 10s
ec2-user:~/environment $ kubectl -n assets exec $(kubectl -n assets get pods -o name) -- whoami
root
3
Baseline PSS Profile
권한으로 제한 사용 = 중간 보안
ec2-user:~/environment $ kubectl apply -k ~/environment/eks-workshop/modules/security/pss-psa/baseline-namespace
namespace/assets unchanged
serviceaccount/assets unchanged
configmap/assets unchanged
service/assets unchanged
Warning: would violate PodSecurity "baseline:latest": privileged (container "assets" must not set securityContext.privileged=true)
deployment.apps/assets configured
ec2-user:~/environment $
ec2-user:~/environment $
ec2-user:~/environment $ kubectl -n assets delete pod --all
pod "assets-7ccc84cb4d-xvkdv" deleted
ec2-user:~/environment $ kubectl -n assets get pod
NAME READY STATUS RESTARTS AGE
assets-7ccc84cb4d-zz2wj 1/1 Running 0 6s
ec2-user:~/environment $ kubectl -n assets get pod
NAME READY STATUS RESTARTS AGE
assets-7ccc84cb4d-zz2wj 1/1 Running 0 13s
ec2-user:~/environment $ kubectl get deployment -n assets assets -o yaml | yq '.status'
availableReplicas: 1
conditions:
- lastTransitionTime: "2023-11-09T02:22:42Z"
lastUpdateTime: "2023-11-09T02:22:42Z"
message: 'pods "assets-78666574f6-6v64m" is forbidden: violates PodSecurity "baseline:latest": privileged (container "assets" must not set securityContext.privileged=true)'
reason: FailedCreate
status: "True"
type: ReplicaFailure
- lastTransitionTime: "2023-11-09T02:23:29Z"
lastUpdateTime: "2023-11-09T02:23:29Z"
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
- lastTransitionTime: "2023-11-09T01:40:32Z"
lastUpdateTime: "2023-11-09T02:23:29Z"
message: ReplicaSet "assets-78666574f6" is progressing.
reason: ReplicaSetUpdated
status: "True"
type: Progressing
observedGeneration: 4
readyReplicas: 1
replicas: 1
unavailableReplicas: 1
ec2-user:~/environment $ kubectl apply -k ~/environment/eks-workshop/modules/security/pss-psa/baseline-workload
namespace/assets unchanged
serviceaccount/assets unchanged
configmap/assets unchanged
service/assets unchanged
deployment.apps/assets configured
ec2-user:~/environment $ kubectl -n assets get pod
NAME READY STATUS RESTARTS AGE
assets-7ccc84cb4d-j6cvx 1/1 Running 0 36s
ec2-user:~/environment $ kubectl -n assets exec $(kubectl -n assets get pods -o name) -- whoami
nginx
4
Restricted PSS Profile
보안이 가장 강하다.
ec2-user:~/environment $ kubectl apply -k ~/environment/eks-workshop/modules/security/pss-psa/baseline-workload
namespace/assets unchanged
serviceaccount/assets unchanged
configmap/assets unchanged
service/assets unchanged
deployment.apps/assets configured
ec2-user:~/environment $
ec2-user:~/environment $
ec2-user:~/environment $ kubectl -n assets get pod
NAME READY STATUS RESTARTS AGE
assets-7ccc84cb4d-j6cvx 1/1 Running 0 36s
ec2-user:~/environment $ kubectl -n assets exec $(kubectl -n assets get pods -o name) -- whoami
nginx
ec2-user:~/environment $ kubectl apply -k ~/environment/eks-workshop/modules/security/pss-psa/restricted-namespace
Warning: existing pods in namespace "assets" violate the new PodSecurity enforce level "restricted:latest"
Warning: assets-7ccc84cb4d-j6cvx: allowPrivilegeEscalation != false, runAsNonRoot != true, seccompProfile
namespace/assets configured
serviceaccount/assets unchanged
configmap/assets unchanged
service/assets unchanged
deployment.apps/assets unchanged
ec2-user:~/environment $ kubectl -n assets delete pod --all
pod "assets-7ccc84cb4d-j6cvx" deleted
ec2-user:~/environment $ kubectl -n assets get pod
No resources found in assets namespace.
ec2-user:~/environment $
ec2-user:~/environment $ kubectl apply -k ~/environment/eks-workshop/modules/security/pss-psa/restricted-workload
namespace/assets unchanged
serviceaccount/assets unchanged
configmap/assets unchanged
service/assets unchanged
deployment.apps/assets configured
ec2-user:~/environment $ kubectl -n assets get pod
NAME READY STATUS RESTARTS AGE
assets-5bb65f9959-pvvm4 1/1 Running 0 4s
ec2-user:~/environment $
<7>Managing Secrets with AWS Secrets Manager
시크릿 매니저 사용
쿠버네티스에서 시크릿 매니저 사용해보자.
https://www.eksworkshop.com/docs/security/secrets-management/secrets-manager/
1
ec2-user:~/environment $ export SECRET_SUFFIX=$(openssl rand -hex 4)
ec2-user:~/environment $ export SECRET_NAME="$EKS_CLUSTER_NAME-catalog-secret-${SECRET_SUFFIX}"
ec2-user:~/environment $ aws secretsmanager create-secret --name "$SECRET_NAME" \
> --secret-string '{"username":"catalog_user", "password":"default_password"}' --region $AWS_REGION
{
"ARN": "arn:aws:secretsmanager:ap-northeast-2:319485572629:secret:eks-workshop-catalog-secret-fbf13fe1-uimSoX",
"Name": "eks-workshop-catalog-secret-fbf13fe1",
"VersionId": "be3473c9-c5a4-4092-8e04-dc444b60a51c"
}
ec2-user:~/environment $ aws secretsmanager describe-secret --secret-id "$SECRET_NAME"
{
"ARN": "arn:aws:secretsmanager:ap-northeast-2:319485572629:secret:eks-workshop-catalog-secret-fbf13fe1-uimSoX",
"Name": "eks-workshop-catalog-secret-fbf13fe1",
"LastChangedDate": "2023-11-09T02:31:17.877000+00:00",
"VersionIdsToStages": {
"be3473c9-c5a4-4092-8e04-dc444b60a51c": [
"AWSCURRENT"
]
},
"CreatedDate": "2023-11-09T02:31:17.672000+00:00"
}
ec2-user:~/environment $
2
AWS Secrets and Configuration Provider (ASCP)
볼륨으로 가져오도록 해보자.
다음은 EKS 네트워크
https://brunch.co.kr/@topasvga/3519
감사합니다.
