AI 助理
文档备案控制台
开发者社区 云原生 文章 正文

Kubernetes CKS 2021 Course【15】---Microservice Vulnerabilities - mTLS

2022-12-13 227
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介: Kubernetes CKS 2021 Course【15】---Microservice Vulnerabilities - mTLS

文章目录

1. 介绍

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

2. Create sidecar proxy

任务

1035234-20181020215539574-213176954.png

root@master:~/cks/mTLS# k run app --image=bash --command -oyaml --dry-run=client > app.yaml -- sh -c 'ping baidu.com'
root@master:~/cks/mTLS# cat app.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: app
  name: app
spec:
  containers:
  - command:
    - sh
    - -c
    - ping baidu.com
    image: bash
    name: app
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}
root@master:~/cks/mTLS# k -f app.yaml  create
pod/app created
root@master:~/cks/mTLS# k get pods -w
NAME   READY   STATUS              RESTARTS   AGE
app    0/1     ContainerCreating   0          14s
app    1/1     Running             0          23s
^Croot@master:~/cks/mTLS# k logs -f app
PING baidu.com (39.156.69.79): 56 data bytes
64 bytes from 39.156.69.79: seq=0 ttl=127 time=7.785 ms
64 bytes from 39.156.69.79: seq=1 ttl=127 time=7.526 ms
64 bytes from 39.156.69.79: seq=2 ttl=127 time=8.031 ms
64 bytes from 39.156.69.79: seq=3 ttl=127 time=8.429 ms
64 bytes from 39.156.69.79: seq=4 ttl=127 time=8.007 ms
64 bytes from 39.156.69.79: seq=5 ttl=127 time=7.250 ms
64 bytes from 39.156.69.79: seq=6 ttl=127 time=8.438 ms
64 bytes from 39.156.69.79: seq=7 ttl=127 time=7.412 ms
64 bytes from 39.156.69.79: seq=8 ttl=127 time=7.328 ms

set-capabilities-for-a-container

root@master:~/cks/securitytext# cat app.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: app
  name: app
spec:
  containers:
  - command:
    - sh
    - -c
    - sleep 1d
    image: busybox
    name: pod
    resources: {}
  - name: proxy
    image: ubuntu
    command:
    - sh
    - -c
    - 'apt-get update && apt-get install iptables -y && iptables -L && sleep 1d'
    securityContext:
      capabilities:
        add: ["NET_ADMIN"]      
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}
root@master:~/cks/securitytext# kubectl -f app.yaml delete --force --grace-period=0
warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "app" force deleted
root@master:~/cks/securitytext# k create -f app.yaml 
pod/app created
root@master:~/cks/securitytext# k get pods
NAME   READY   STATUS    RESTARTS   AGE
app    2/2     Running   0          45s
root@master:~/cks/securitytext# k logs app -c proxy
Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [109 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:3 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [21.7 kB]
Get:4 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [700 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:8 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:9 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [267 kB]
Get:10 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [817 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
root@master:~/cks/securitytext# k logs app -c proxy -f
Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [109 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:3 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [21.7 kB]
Get:4 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [700 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:8 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:9 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [267 kB]
Get:10 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [817 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:13 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [969 kB]
Get:14 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1238 kB]
Get:15 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [299 kB]
Get:16 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [29.7 kB]
Get:17 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [4305 B]
Fetched 17.8 MB in 1min 27s (205 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  libip4tc2 libip6tc2 libmnl0 libnetfilter-conntrack3 libnfnetlink0 libnftnl11
  libxtables12 netbase
Suggested packages:
  firewalld kmod nftables
The following NEW packages will be installed:
  iptables libip4tc2 libip6tc2 libmnl0 libnetfilter-conntrack3 libnfnetlink0
  libnftnl11 libxtables12 netbase
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 595 kB of archives.
After this operation, 3490 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal/main amd64 libip4tc2 amd64 1.8.4-3ubuntu2 [18.8 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal/main amd64 libmnl0 amd64 1.0.4-2 [12.3 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal/main amd64 libxtables12 amd64 1.8.4-3ubuntu2 [28.4 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal/main amd64 netbase all 6.1 [13.1 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal/main amd64 libip6tc2 amd64 1.8.4-3ubuntu2 [19.2 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal/main amd64 libnfnetlink0 amd64 1.0.1-3build1 [13.8 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal/main amd64 libnetfilter-conntrack3 amd64 1.0.7-2 [41.4 kB]
Get:8 http://archive.ubuntu.com/ubuntu focal/main amd64 libnftnl11 amd64 1.1.5-1 [57.8 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal/main amd64 iptables amd64 1.8.4-3ubuntu2 [390 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 595 kB in 3s (182 kB/s)
Selecting previously unselected package libip4tc2:amd64.
(Reading database ... 4121 files and directories currently installed.)
Preparing to unpack .../0-libip4tc2_1.8.4-3ubuntu2_amd64.deb ...
Unpacking libip4tc2:amd64 (1.8.4-3ubuntu2) ...
Selecting previously unselected package libmnl0:amd64.
Preparing to unpack .../1-libmnl0_1.0.4-2_amd64.deb ...
Unpacking libmnl0:amd64 (1.0.4-2) ...
Selecting previously unselected package libxtables12:amd64.
Preparing to unpack .../2-libxtables12_1.8.4-3ubuntu2_amd64.deb ...
Unpacking libxtables12:amd64 (1.8.4-3ubuntu2) ...
Selecting previously unselected package netbase.
Preparing to unpack .../3-netbase_6.1_all.deb ...
Unpacking netbase (6.1) ...
Selecting previously unselected package libip6tc2:amd64.
Preparing to unpack .../4-libip6tc2_1.8.4-3ubuntu2_amd64.deb ...
Unpacking libip6tc2:amd64 (1.8.4-3ubuntu2) ...
Selecting previously unselected package libnfnetlink0:amd64.
Preparing to unpack .../5-libnfnetlink0_1.0.1-3build1_amd64.deb ...
Unpacking libnfnetlink0:amd64 (1.0.1-3build1) ...
Selecting previously unselected package libnetfilter-conntrack3:amd64.
Preparing to unpack .../6-libnetfilter-conntrack3_1.0.7-2_amd64.deb ...
Unpacking libnetfilter-conntrack3:amd64 (1.0.7-2) ...
Selecting previously unselected package libnftnl11:amd64.
Preparing to unpack .../7-libnftnl11_1.1.5-1_amd64.deb ...
Unpacking libnftnl11:amd64 (1.1.5-1) ...
Selecting previously unselected package iptables.
Preparing to unpack .../8-iptables_1.8.4-3ubuntu2_amd64.deb ...
Unpacking iptables (1.8.4-3ubuntu2) ...
Setting up libip4tc2:amd64 (1.8.4-3ubuntu2) ...
Setting up libip6tc2:amd64 (1.8.4-3ubuntu2) ...
Setting up libmnl0:amd64 (1.0.4-2) ...
Setting up libxtables12:amd64 (1.8.4-3ubuntu2) ...
Setting up libnfnetlink0:amd64 (1.0.1-3build1) ...
Setting up netbase (6.1) ...
Setting up libnftnl11:amd64 (1.1.5-1) ...
Setting up libnetfilter-conntrack3:amd64 (1.0.7-2) ...
Setting up iptables (1.8.4-3ubuntu2) ...
update-alternatives: using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in auto mode
update-alternatives: using /usr/sbin/ip6tables-legacy to provide /usr/sbin/ip6tables (ip6tables) in auto mode
update-alternatives: using /usr/sbin/arptables-nft to provide /usr/sbin/arptables (arptables) in auto mode
update-alternatives: using /usr/sbin/ebtables-nft to provide /usr/sbin/ebtables (ebtables) in auto mode
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
文章标签:
容器服务Kubernetes版
容器
Kubernetes
关键词:
容器服务Kubernetes版cks vulnerabilities
相关实践学习
深入解析Docker容器化技术
Docker是一个开源的应用容器引擎,让开发者可以打包他们的应用以及依赖包到一个可移植的容器中,然后发布到任何流行的Linux机器上,也可以实现虚拟化,容器是完全使用沙箱机制,相互之间不会有任何接口。Docker是世界领先的软件容器平台。开发人员利用Docker可以消除协作编码时“在我的机器上可正常工作”的问题。运维人员利用Docker可以在隔离容器中并行运行和管理应用,获得更好的计算密度。企业利用Docker可以构建敏捷的软件交付管道,以更快的速度、更高的安全性和可靠的信誉为Linux和Windows Server应用发布新功能。 在本套课程中,我们将全面的讲解Docker技术栈,从环境安装到容器、镜像操作以及生产环境如何部署开发的微服务应用。本课程由黑马程序员提供。     相关的阿里云产品:容器服务 ACK 容器服务 Kubernetes 版(简称 ACK)提供高性能可伸缩的容器应用管理能力,支持企业级容器化应用的全生命周期管理。整合阿里云虚拟化、存储、网络和安全能力,打造云端最佳容器化应用运行环境。 了解产品详情: https://www.aliyun.com/product/kubernetes
爱死亡机器人
目录
相关文章
lady_killer9
|
Kubernetes 容器
k8s学习-CKS真题-日志审计 log audit
k8s学习-CKS真题-日志审计 log audit
lady_killer9
308 0
lady_killer9
|
Kubernetes 容器
k8s学习-CKS真题-ImagePolicyWebhook容器镜像扫描
k8s学习-CKS真题-ImagePolicyWebhook容器镜像扫描
lady_killer9
403 0
晚风_END
|
Kubernetes Cloud Native 安全
云原生|kubernetes|2022年底cks真题解析(11-16)
云原生|kubernetes|2022年底cks真题解析(11-16)
晚风_END
326 0
晚风_END
|
Kubernetes Cloud Native 安全
云原生|kubernetes|2022年底cks真题解析(1-10)
云原生|kubernetes|2022年底cks真题解析(1-10)
晚风_END
222 0
lady_killer9
|
Kubernetes 供应链 安全
k8s学习-CKS考试必过宝典
k8s学习-CKS考试必过宝典
lady_killer9
370 0
lady_killer9
|
Kubernetes 安全 容器
k8s学习-CKS真题-TLS安全配置
k8s学习-CKS真题-TLS安全配置
lady_killer9
374 0
lady_killer9
|
Kubernetes Ubuntu Linux
k8s学习-CKS真题-利用AppArmor进行应用行为限制
k8s学习-CKS真题-利用AppArmor进行应用行为限制
lady_killer9
276 0
lady_killer9
|
Kubernetes 安全 容器
k8s学习-CKS真题-Context安全上下文
k8s学习-CKS真题-Context安全上下文
lady_killer9
309 0
lady_killer9
|
Kubernetes API 网络架构
k8s学习-CKS真题-启用API Server认证,禁止匿名访问
k8s学习-CKS真题-启用API Server认证,禁止匿名访问
lady_killer9
423 0
lady_killer9
|
Kubernetes 安全 Linux
k8s学习-CKS真题-Trivy扫描镜像安全漏洞
k8s学习-CKS真题-Trivy扫描镜像安全漏洞
lady_killer9
227 0

热门文章

最新文章

  • 1
    使用阿里云容器服务Kubernetes实现蓝绿发布功能
  • 2
    SpringCloud 应用在 Kubernetes 上的最佳实践 — 高可用(容量评估)
  • 3
    在阿里云k8s服务中玩转最新版原生dashboard
  • 4
    Kubernetes 在等待 pod 中的 PVC 或 PV 挂载时超时
  • 5
    k8s容器云架构之dubbo微服务—K8S(15)监控实战-ELK收集K8S内应用日志
  • 6
    详解 kubernetes 包管理工具 Helm
  • 7
    飞天加速计划--阿里云ESC服务器部署K8s集群体验
  • 8
    【kubernetes】修复 systemctl status sshd Failed to get D-Bus connection: Operation not permitted
  • 9
    细说Kubernetes Pod的驱逐
  • 10
    Serverless Kubernetes ASK 概述|学习笔记
  • 1
    阿里云ACK托管集群Pro版共享GPU调度操作指南
    461
  • 2
    ACK One 注册集群云端节点池升级:IDC 集群一键接入云端 GPU 算力,接入效率提升 80%
    318
  • 3
    基于 Azure DevOps 与阿里云 ACK 构建企业级 CI/CD 流水线
    652
  • 4
    关于阿里云 Kubernetes 容器服务(ACK)添加镜像仓库的快速说明
    643
  • 5
    ACK GIE配置建议
    507
  • 6
    ACK One GitOps:让全球化游戏服务持续交付更简单
    197
  • 7
    Ray on ACK 最佳实践,保障 AI 数据处理/训练/推理等环境的安全部署
    632
  • 8
    智联招聘 × 阿里云 ACK One:云端弹性算力颠覆传统 IDC 架构,打造春招技术新范式
    312
  • 9
    智联招聘 × 阿里云 ACK One:云端弹性算力颠覆传统 IDC 架构,打造春招技术新范式
    481
  • 10
    KubeRay on ACK:更高效、更安全
    581

    • 相关课程

    更多
  • 阿里云 EMR on ACK 实战
  • 阿里云K8S微服务部署案例
  • Kubernetes极速入门
  • Serverless 容器从入门到精通: - Serverless Kubernetes
  • Kubernetes云原生管理实践
  • Kubernetes入门

    • 相关电子书

    更多
  • ACK 云原生弹性方案—云原生时代的加速器
  • ACK集群类型选择最佳实践
  • 企业运维之云原生和Kubernetes 实战

    • 推荐镜像

    更多
  • kubernetes
    • 下一篇
    ECS账号安全防护最佳实践