网站前端后端分开做可以吗企业网站报价

网站前端后端分开做可以吗,企业网站报价,论坛平台,朋友圈营销kubernetes-对node的kubeconfig安全加固 ​ 日拱一卒#xff0c;功不唐捐。大家好#xff0c;目前我的kubernetes集群遇到一个安全问题#xff0c;因为有些集群部署kubeadm部署方式部署的#xff0c;所以有些集群中kubelet启动的时候使用的admin权限的kubeconfig#xff…kubernetes-对node的kubeconfig安全加固​ 日拱一卒功不唐捐。大家好目前我的kubernetes集群遇到一个安全问题因为有些集群部署kubeadm部署方式部署的所以有些集群中kubelet启动的时候使用的admin权限的kubeconfig这个在生产环境下是存在安全风险的所以考虑对其进行安全加固。​ 我们知道kubelet启动的时候需要传kubeconfig如果使用的是admin权限的kubeconfig那如果被黑客利用了有很大的安全风险那如何解决呢我们自然会想到要么降低权限大小要么选择加密对吧加密自然麻烦一些你得改kubernetes代码加密倒不是不可以主要是还得自己维护代码所以这里选择降低权限选择降低node权限使其只能访问本节点数据不能横向访问其他节点数据。其实是借助了kubernetes的Node Authorizer NodeRestriction 限制kubelet只能访问本node的相关资源。完整流程admin kubeconfig仅用于创建 CSR ↓ 创建 kubelet CSRsystem:node:nodeName ↓ approve 签发证书 ↓ 生成 kubelet 专用 kubeconfig ↓ 重启 kubelet ↓ 删除 admin kubeconfig假设node的主机名称是 node1.localdomain1. 控制节点参数apiserver启用NodeRBAC--authorization-modeNode,RBACapiserver启用NodeRestriction Admission--enable-admission-pluginsNodeRestrictioncontroller-manager--cluster-signing-cert-file/etc/kubernetes/pki/ca.pem --cluster-signing-key-file/etc/kubernetes/pki/ca-key.pem2. 为node生成证书生成私钥#openssl genrsa -out kubelet.key 2048CSR 资源用于请求指定签名者签发证书流程如下设置 CSR 的 CN 和 O 属性非常重要。CN 是用户的名称O 是此用户所属的群组。 你可以参阅 RBAC 了解标准的群组。#openssl req -new \ -key kubelet.key \ -subj /CNsystem:node:node1.localdomain/Osystem:nodes \ -out kubelet.csr创建 CertificateSigningRequest 并通过 kubectl 将其提交到 Kubernetes 集群, 并 批准CerfificateSigningRequest确保状态是Approved,Issued#cat EOF | kubectl --kubeconfig config-cluster-test apply -f - apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: node1.localdomain-kubelet-client spec: signerName: kubernetes.io/kube-apiserver-client-kubelet request: $(base64 -w0 kubelet.csr) usages: - client auth - digital signature - key encipherment EOF #kubectl --kubeconfig config-cluster-test certificate approve node1.localdomain-kubelet-client证书值以 Base64 编码格式显示在.status.certificate下, 从 CertificateSigningRequest 导出已颁发的证书。#kubectl --kubeconfig config-cluster-test get csr node1.localdomain-kubelet-client -o jsonpath{.status.certificate} | base64 -d kubelet-client.crt将证书配置到 kubeconfig 中并生成新的 /var/lib/kubelet/kubeconfig#kubectl --kubeconfig config-cluster-test config set-cluster kubernetes \ --serverhttps://10.236.111.57:6443 \ --certificate-authority/etc/kubernetes/ca.crt \ --embed-certstrue \ --kubeconfig/var/lib/kubelet/kubeconfig #kubelet-client.crt和kubelet-client.key为前面生成的私钥和crt #kubectl --kubeconfig config-cluster-test config set-credentials system:node:node1.localdomain \ --client-certificate/var/lib/kubelet/pki/kubelet-client.crt \ --client-key/var/lib/kubelet/pki/kubelet-client.key \ --embed-certstrue \ --kubeconfig/var/lib/kubelet/kubeconfig #kubectl --kubeconfig config-cluster-test config set-context default \ --clusterkubernetes \ --usersystem:node:node1.localdomain \ --kubeconfig/var/lib/kubelet/kubeconfig #kubectl --kubeconfig config-cluster-test config use-context default \ --kubeconfig/var/lib/kubelet/kubeconfig测试#kubectl --kubeconfig/var/lib/kubelet/kubeconfig auth can-i get pods测试效果实测不能list ns以及configmap/secret, 只能获取本pod相关的configmap以及pod以及secret都能获取同时能list获取nodes以及pod但不能exec pod.# kubectl --kubeconfig/var/lib/kubelet/kubeconfig -n my-test get secrets Error from server (Forbidden): secrets is forbidden: User system:node:node1.localdomain cannot list resource secrets in API group in the namespace my-test: No Object name found附脚本#!/bin/sh #用于集群生成node证书 #------ 变量 -------# NODE_HOSTNAMEhostname #当前worker节点主机名 API_ENDPOINThttps://10.236.111.57:3141 #集群api的地址 CA_PUB_PATH/etc/kubernetes/ca.crt #集群的ca证书 ADMIN_KUBECONFIG/root/admin-kubeconfig #集群的admin的kubeconfig DST_KUBECONFIG_PATH/var/lib/kubelet/kubeconfig.node.new #最终新的kubeconfig #--------------------# #cd /root openssl genrsa -out kubelet-client.key 2048 openssl req -new \ -key kubelet-client.key \ -subj /CNsystem:node:$HOSTNAME/Osystem:nodes \ -out kubelet-client.csr kubectl --kubeconfig $ADMIN_KUBECONFIG delete csr $NODE_HOSTNAME-kubelet-client cat EOF | kubectl --kubeconfig $ADMIN_KUBECONFIG apply -f - apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: $NODE_HOSTNAME-kubelet-client spec: signerName: kubernetes.io/kube-apiserver-client-kubelet request: $(base64 -w0 kubelet-client.csr) usages: - client auth - digital signature - key encipherment EOF sleep 3 kubectl --kubeconfig $ADMIN_KUBECONFIG certificate approve $NODE_HOSTNAME-kubelet-client kubectl --kubeconfig $ADMIN_KUBECONFIG get csr $NODE_HOSTNAME-kubelet-client -o jsonpath{.status.certificate} | base64 -d kubelet-client.crt kubectl --kubeconfig $ADMIN_KUBECONFIG config set-cluster kubernetes \ --server$API_ENDPOINT \ --certificate-authority$CA_PUB_PATH \ --embed-certstrue \ --kubeconfig$DST_KUBECONFIG_PATH kubectl --kubeconfig $ADMIN_KUBECONFIG config set-credentials system:node:$NODE_HOSTNAME \ --client-certificate./kubelet-client.crt \ --client-key./kubelet-client.key \ --embed-certstrue \ --kubeconfig$DST_KUBECONFIG_PATH kubectl --kubeconfig $ADMIN_KUBECONFIG config set-context default \ --clusterkubernetes \ --usersystem:node:$NODE_HOSTNAME \ --kubeconfig$DST_KUBECONFIG_PATH kubectl --kubeconfig $ADMIN_KUBECONFIG config use-context default \ --kubeconfig$DST_KUBECONFIG_PATH #覆盖原来使用的kubeconfig cat $DST_KUBECONFIG_PATH /etc/kubernetes/admin.config参考https://kubernetes.io/zh-cn/docs/tasks/tls/certificate-issue-client-csr/