Kubernetes CKS【23】---Runtime Security - Auditing

本文涉及的产品
容器服务 Serverless 版 ACK Serverless,952元额度 多规格
容器服务 Serverless 版 ACK Serverless,317元额度 多规格
简介: Kubernetes CKS【23】---Runtime Security - Auditing

文章目录

1. 介绍

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

2. Apiserver启用“Audit Logging”

官方链接:

https://kubernetes.io/docs/tasks/debug-application-cluster/audit/

1035234-20181020215539574-213176954.png

root@master:/etc/kubernetes/manifests# mkdir /etc/kubernetes/auditing
root@master:/etc/kubernetes/manifests# mkidr /etc/kubernetes/audit/logs
root@master:/etc/kubernetes/manifests# cat /etc/kubernetes/audit/policy.yaml 
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
root@master:/etc/kubernetes/manifests# cat kube-apiserver.yaml 
apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.211.40:6443
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --audit-policy-file=/etc/kubernetes/audit/policy.yaml       # add
    - --audit-log-path=/etc/kubernetes/audit/logs/audit.log       # add
    - --audit-log-maxsize=500                                     # add
    - --audit-log-maxbackup=5  
    - --advertise-address=192.168.211.40
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --insecure-port=0
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
    - --secure-port=6443
    - --service-account-issuer=https://kubernetes.default.svc.cluster.local
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    image: k8s.gcr.io/kube-apiserver:v1.20.7
    imagePullPolicy: IfNotPresent
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 192.168.211.40
        path: /livez
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 10
      periodSeconds: 10
      timeoutSeconds: 15
    name: kube-apiserver
    readinessProbe:
      failureThreshold: 3
      httpGet:
        host: 192.168.211.40
        path: /readyz
        port: 6443
        scheme: HTTPS
      periodSeconds: 1
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    startupProbe:
      failureThreshold: 24
      httpGet:
        host: 192.168.211.40
        path: /livez
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 10
      periodSeconds: 10
      timeoutSeconds: 15
    volumeMounts:
    - mountPath: /etc/ssl/certs
      name: ca-certs
      readOnly: true
    - mountPath: /etc/ca-certificates
      name: etc-ca-certificates
      readOnly: true
    - mountPath: /etc/kubernetes/pki
      name: k8s-certs
      readOnly: true
    - mountPath: /usr/local/share/ca-certificates
      name: usr-local-share-ca-certificates
      readOnly: true
    - mountPath: /usr/share/ca-certificates
      name: usr-share-ca-certificates
      readOnly: true
    - mountPath: /etc/kubernetes/audit      # add
      name: audit                           # add
  hostNetwork: true
  priorityClassName: system-node-critical
  volumes:
  - hostPath:                               # add
      path: /etc/kubernetes/audit           # add
      type: DirectoryOrCreate               # add
    name: audit                             # add
  - hostPath:
      path: /etc/ssl/certs
      type: DirectoryOrCreate
    name: ca-certs
  - hostPath:
      path: /etc/ca-certificates
      type: DirectoryOrCreate
    name: etc-ca-certificates
  - hostPath:
      path: /etc/kubernetes/pki
      type: DirectoryOrCreate
    name: k8s-certs
  - hostPath:
      path: /usr/local/share/ca-certificates
      type: DirectoryOrCreate
    name: usr-local-share-ca-certificates
  - hostPath:
      path: /usr/share/ca-certificates
      type: DirectoryOrCreate
    name: usr-share-ca-certificates
status: {}
root@master:/etc/kubernetes/manifests# k get pods -n kube-system |grep api
kube-apiserver-master                      1/1     Running   3          5m
root@master:/etc/kubernetes/manifests# tail /etc/kubernetes/audit/logs/audit.log 
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"3ea2f430-108b-4b17-b967-6e26619fda99","stage":"RequestReceived","requestURI":"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-controller-manager?timeout=10s","verb":"update","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["192.168.211.40"],"userAgent":"kube-controller-manager/v1.20.7 (linux/amd64) kubernetes/132a687/leader-election","objectRef":{"resource":"leases","namespace":"kube-system","name":"kube-controller-manager","apiGroup":"coordination.k8s.io","apiVersion":"v1"},"requestReceivedTimestamp":"2021-05-24T08:28:50.431353Z","stageTimestamp":"2021-05-24T08:28:50.431353Z"}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"f6a3fc3b-96eb-4e2e-9ba2-66d2e345fb8a","stage":"RequestReceived","requestURI":"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler?timeout=10s","verb":"update","user":{"username":"system:kube-scheduler","groups":["system:authenticated"]},"sourceIPs":["192.168.211.40"],"userAgent":"kube-scheduler/v1.20.7 (linux/amd64) kubernetes/132a687/leader-election","objectRef":{"resource":"leases","namespace":"kube-system","name":"kube-scheduler","apiGroup":"coordination.k8s.io","apiVersion":"v1"},"requestReceivedTimestamp":"2021-05-24T08:28:50.435266Z","stageTimestamp":"2021-05-24T08:28:50.435266Z"}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"3ea2f430-108b-4b17-b967-6e26619fda99","stage":"ResponseComplete","requestURI":"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-controller-manager?timeout=10s","verb":"update","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["192.168.211.40"],"userAgent":"kube-controller-manager/v1.20.7 (linux/amd64) kubernetes/132a687/leader-election","objectRef":{"resource":"leases","namespace":"kube-system","name":"kube-controller-manager","uid":"bcb35dd3-5cb0-4460-99af-dcedb37a6bfa","apiGroup":"coordination.k8s.io","apiVersion":"v1","resourceVersion":"30280"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-05-24T08:28:50.431353Z","stageTimestamp":"2021-05-24T08:28:50.438912Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}

3. 创建Secret 审查 Audit Logs

1035234-20181020215539574-213176954.png

root@master:/etc/kubernetes/manifests# k create secret generic very-secure --from-literal=user=admin
secret/very-secure created
root@master:/etc/kubernetes/manifests# cat /etc/kubernetes/audit/logs/audit.log |grep very-secure | jq .
{
  "kind": "Event",
  "apiVersion": "audit.k8s.io/v1",
  "level": "Metadata",
  "auditID": "12831143-4615-4f4c-a443-6b80c946a0b1",
  "stage": "ResponseComplete",
  "requestURI": "/api/v1/namespaces/default/secrets?fieldManager=kubectl-create",
  "verb": "create",
  "user": {
    "username": "kubernetes-admin",
    "groups": [
      "system:masters",
      "system:authenticated"
    ]
  },
  "sourceIPs": [
    "192.168.211.40"
  ],
  "userAgent": "kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19",
  "objectRef": {
    "resource": "secrets",
    "namespace": "default",
    "name": "very-secure",
    "apiVersion": "v1"
  },
  "responseStatus": {
    "metadata": {},
    "code": 201
  },
  "requestReceivedTimestamp": "2021-05-24T08:30:54.109005Z",
  "stageTimestamp": "2021-05-24T08:30:54.114724Z",
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": ""
  }
}

4. 创建高级审计(Audit)策略

1035234-20181020215539574-213176954.png

1035234-20181020215539574-213176954.png

root@master:/etc/kubernetes/audit# cat policy.yaml 
apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
  - "RequestReceived"
rules:
- level: Metadata
- level: None
  verbs: ["get","list","watch"]
- level: Metadata
  resources:
  - group: ""
    resources: ["secrets"]
- level: RequestResponse
#重启kube-apiserver
root@master:~/imagev1.20.7# mv /etc/kubernetes/manifests/kube-apiserver.yaml /etc/kubernetes/
root@master:~/imagev1.20.7# ps aux |grep api
root@master:~/imagev1.20.7# mv /etc/kubernetes/kube-apiserver.yaml /etc/kubernetes/manifests/kube-apiserver.yaml
root@master:~/imagev1.20.7# ps aux |grep api
root      25311  102 19.6 1165724 399712 ?      Ssl  01:49   0:08 kube-apiserver --audit-policy-file=/etc/kubernetes/audit/policy.yaml --audit-log-path=/etc/kubernetes/audit/logs/audit.log --audit-log-maxsize=500 --audit-log-maxbackup=5 --advertise-address=192.168.211.40 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --insecure-port=0 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/12 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
root@master:/etc/kubernetes/manifests# tail /etc/kubernetes/audit/logs/audit.log | jq .
{
  "kind": "Event",
  "apiVersion": "audit.k8s.io/v1",
  "level": "RequestResponse",
  "auditID": "af001aec-e743-40fb-9530-33d78b0b837a",
  "stage": "ResponseComplete",
  "requestURI": "/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-controller-manager?timeout=10s",
  "verb": "update",
  "user": {
    "username": "system:kube-controller-manager",
    "groups": [
      "system:authenticated"
    ]
  },
  "sourceIPs": [
    "192.168.211.40"
  ],
  "userAgent": "kube-controller-manager/v1.20.7 (linux/amd64) kubernetes/132a687/leader-election",
  "objectRef": {
    "resource": "leases",
    "namespace": "kube-system",
    "name": "kube-controller-manager",
    "uid": "bcb35dd3-5cb0-4460-99af-dcedb37a6bfa",
    "apiGroup": "coordination.k8s.io",
    "apiVersion": "v1",
    "resourceVersion": "33178"
  },
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "requestObject": {
    "kind": "Lease",
    "apiVersion": "coordination.k8s.io/v1",
    "metadata": {
      "name": "kube-controller-manager",
      "namespace": "kube-system",
      "uid": "bcb35dd3-5cb0-4460-99af-dcedb37a6bfa",
      "resourceVersion": "33178",
      "creationTimestamp": "2021-05-14T08:37:45Z",
      "managedFields": [
        {
          "manager": "kube-controller-manager",
          "operation": "Update",
          "apiVersion": "coordination.k8s.io/v1",
          "time": "2021-05-14T08:37:45Z",
          "fieldsType": "FieldsV1",
          "fieldsV1": {
            "f:spec": {
              "f:acquireTime": {},
              "f:holderIdentity": {},
              "f:leaseDurationSeconds": {},
              "f:leaseTransitions": {},
              "f:renewTime": {}
            }
          }
        }
      ]
    },
    "spec": {
      "holderIdentity": "master_0b1b6fb7-55d4-4a8b-b560-bc283491de73",
      "leaseDurationSeconds": 15,
      "acquireTime": "2021-05-24T09:05:09.579371Z",
      "renewTime": "2021-05-24T09:05:54.355135Z",
      "leaseTransitions": 7
    }
  },
  "responseObject": {
    "kind": "Lease",
    "apiVersion": "coordination.k8s.io/v1",
    "metadata": {
      "name": "kube-controller-manager",
      "namespace": "kube-system",
      "uid": "bcb35dd3-5cb0-4460-99af-dcedb37a6bfa",
      "resourceVersion": "33179",
      "creationTimestamp": "2021-05-14T08:37:45Z",
      "managedFields": [
        {
          "manager": "kube-controller-manager",
          "operation": "Update",
          "apiVersion": "coordination.k8s.io/v1",
          "time": "2021-05-14T08:37:45Z",
          "fieldsType": "FieldsV1",
          "fieldsV1": {
            "f:spec": {
              "f:acquireTime": {},
              "f:holderIdentity": {},
              "f:leaseDurationSeconds": {},
              "f:leaseTransitions": {},
              "f:renewTime": {}
            }
          }
        }
      ]
    },
    "spec": {
      "holderIdentity": "master_0b1b6fb7-55d4-4a8b-b560-bc283491de73",
      "leaseDurationSeconds": 15,
      "acquireTime": "2021-05-24T09:05:09.579371Z",
      "renewTime": "2021-05-24T09:05:54.355135Z",
      "leaseTransitions": 7
    }
  },
  "requestReceivedTimestamp": "2021-05-24T09:05:54.382234Z",
  "stageTimestamp": "2021-05-24T09:05:54.397800Z",
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""
  }
}

5. 审查API access 历史

1035234-20181020215539574-213176954.png

root@master:/etc/kubernetes/manifests# k create sa very-crazy-sa
serviceaccount/very-crazy-sa created
root@master:/etc/kubernetes/manifests# k get sa
NAME            SECRETS   AGE
default         1         10d
very-crazy-sa   1         5s
root@master:/etc/kubernetes/manifests# k get secret
NAME                        TYPE                                  DATA   AGE
default-token-4lh26         kubernetes.io/service-account-token   3      10d
very-crazy-sa-token-fr7sw   kubernetes.io/service-account-token   3      46s
very-secure                 Opaque                                1      52m
root@master:/etc/kubernetes/manifests# cat /etc/kubernetes/audit/logs/audit.log |grep very-crazy-sa
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1332e3c4-63d1-408e-b2d0-95b21774cd2d","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/serviceaccounts?fieldManager=kubectl-create","verb":"create","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.211.40"],"userAgent":"kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19","objectRef":{"resource":"serviceaccounts","namespace":"default","name":"very-crazy-sa","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"very-crazy-sa","creationTimestamp":null}},"responseObject":{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"very-crazy-sa","namespace":"default","uid":"26cc66f7-cf7d-443a-8bb0-b1b9af6bd30a","resourceVersion":"34576","creationTimestamp":"2021-05-24T09:22:24Z"}},"requestReceivedTimestamp":"2021-05-24T09:22:24.643249Z","stageTimestamp":"2021-05-24T09:22:24.652927Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"96c8fea3-0874-46a7-baed-e32c07316529","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/secrets","verb":"create","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["192.168.211.40"],"userAgent":"kube-controller-manager/v1.20.7 (linux/amd64) kubernetes/132a687/tokens-controller","objectRef":{"resource":"secrets","namespace":"default","name":"very-crazy-sa-token-fr7sw","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2021-05-24T09:22:24.676670Z","stageTimestamp":"2021-05-24T09:22:24.686139Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"27737c46-ab58-4b5b-a12c-b3974e7ecbff","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/serviceaccounts/very-crazy-sa","verb":"update","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["192.168.211.40"],"userAgent":"kube-controller-manager/v1.20.7 (linux/amd64) kubernetes/132a687/tokens-controller","objectRef":{"resource":"serviceaccounts","namespace":"default","name":"very-crazy-sa","uid":"26cc66f7-cf7d-443a-8bb0-b1b9af6bd30a","apiVersion":"v1","resourceVersion":"34576"},"responseStatus":{"metadata":{},"code":200},"requestObject":{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"very-crazy-sa","namespace":"default","uid":"26cc66f7-cf7d-443a-8bb0-b1b9af6bd30a","resourceVersion":"34576","creationTimestamp":"2021-05-24T09:22:24Z"},"secrets":[{"name":"very-crazy-sa-token-fr7sw"}]},"responseObject":{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"very-crazy-sa","namespace":"default","uid":"26cc66f7-cf7d-443a-8bb0-b1b9af6bd30a","resourceVersion":"34578","creationTimestamp":"2021-05-24T09:22:24Z"},"secrets":[{"name":very-crazy-sa-token-fr7sw"}]},"requestReceivedTimestamp":"2021-05-24T09:22:24.688390Z","stageTimestamp":"2021-05-24T09:22:24.691198Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}
root@master:/cks/runtime-security# k run accessor --image=nginx --dry-run=client -oyaml > pod.yaml
root@master:~/cks/runtime-security# vim pod3.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: accessor
  name: accessor
spec:
  serviceAccountName: very-crazy-sa   #添加此行
  containers:
  - image: nginx
    name: accessor
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}
root@master:~/cks/runtime-security# k create -f pod.yaml 
pod/accessor created
root@master:~/cks/runtime-security# k get pod accessor -w
NAME       READY   STATUS              RESTARTS   AGE
accessor   0/1     ContainerCreating   0          11s
accessor   1/1     Running             0          20s
root@master:~/cks/runtime-security# cat /etc/kubernetes/audit/logs/audit.log |grep accessor
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1025990a-e51c-4c51-9010-6436999a88cb","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods/accessor/status","verb":"patch","user":{"username":"system:node:node2","groups":["system:nodes","system:authenticated"]},"sourceIPs":["192.168.211.42"],"userAgent":"kubelet/v1.20.1 (linux/amd64) kubernetes/c4d7527","objectRef":{"resource":"pods","namespace":"default","name":"accessor","apiVersion":"v1","subresource":"status"},"responseStatus":{"metadata":{},"code":200},"requestObject":{"metadata":{"uid":"d67a9290-1dc8-4f14-ac84-88e9ae82d2a2"},"status":{"$setElementOrder/conditions":[{"type":"Initialized"},{"type":"Ready"},{"type":"ContainersReady"},{"type":"PodScheduled"}],"conditions":[{"lastTransitionTime":"2021-05-24T09:29:44Z","message":null,"reason":null,"status":"True","type":"Ready"},{"lastTransitionTime":"2021-05-24T09:29:44Z","message":null,"reason":null,"status":"True","type":"ContainersReady"}],"containerStatuses":[{"containerID":"docker://d80411bf54156c9f65c4887c4255dc545b8ebdf518d4d9470f23b0ad3f984b39","image":"nginx:latest","imageID":"docker-pullable://nginx@sha256:df13abe416e37eb3db4722840dd479b00ba193ac6606e7902331dcea50f4f1f2","lastState":{},"name":"accessor","ready":true,"restartCount":0,"started":true,"state":{"running":{"startedAt":"2021-05-24T09:29:43Z"}}}],"phase":"Running","podIP":"10.244.104.11","podIPs":[{"ip":"10.244.104.11"}]}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"accessor","namespace":"default","uid":"d67a9290-1dc8-4f14-ac84-88e9ae82d2a2","resourceVersion":"35224","creationTimestamp":"2021-05-24T09:29:24Z","labels":{"run":"accessor"},"annotations":{"cni.projectcalico.org/podIP":"10.244.104.11/32","cni.projectcalico.org/podIPs":"10.244.104.11/32"},"managedFields":[{"manager":"kubectl-create","operation":"Update","apiVersion":"v1","time":"2021-05-24T09:29:24Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:run":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"accessor\"}":{".":{},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:enableServiceLinks":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:serviceAccount":{},"f:serviceAccountName":{},"f:terminationGracePeriodSeconds":{}}}},{"manager":"calico","operation":"Update","apiVersion":"v1","time":"2021-05-24T09:29:26Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:cni.projectcalico.org/podIP":{},"f:cni.projectcalico.org/podIPs":{}}}}},{"manager":"kubelet","operation":"Update","apiVersion":"v1","time":"2021-05-24T09:29:44Z","fieldsType":"FieldsV1","fieldsV1":{"f:status":{"f:conditions":{"k:{\"type\":\"ContainersReady\"}":{".":{},"f:lastProbeTime":{},"f:lastTransitionTime":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Initialized\"}":{".":{},"f:lastProbeTime":{},"f:lastTransitionTime":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Ready\"}":{".":{},"f:lastProbeTime":{},"f:lastTransitionTime":{},"f:status":{},"f:type":{}}},"f:containerStatuses":{},"f:hostIP":{},"f:phase":{},"f:podIP":{},"f:podIPs":{".":{},"k:{\"ip\":\"10.244.104.11\"}":{".":{},"f:ip":{}}},"f:startTime":{}}}}]},"spec":{"volumes":[{"name":"very-crazy-sa-token-fr7sw","secret":{"secretName":"very-crazy-sa-token-fr7sw","defaultMode":420}}],"containers":[{"name":"accessor","image":"nginx","resources":{},"volumeMounts":[{"name":"very-crazy-sa-token-fr7sw","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"very-crazy-sa","serviceAccount":"very-crazy-sa","nodeName":"node2","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true,"preemptionPolicy":"PreemptLowerPriority"},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-05-24T09:29:24Z"},{"type":"Ready","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-05-24T09:29:44Z"},{"type":"ContainersReady","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-05-24T09:29:44Z"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-05-24T09:29:24Z"}],"hostIP":"192.168.211.42","podIP":"10.244.104.11","podIPs":[{"ip":"10.244.104.11"}],"startTime":"2021-05-24T09:29:24Z","containerStatuses":[{"name":"accessor","state":{"running":{"startedAt":"2021-05-24T09:29:43Z"}},"lastState":{},"ready":true,"restartCount":0,"image":"nginx:latest","imageID":"docker-pullable://nginx@sha256:df13abe416e37eb3db4722840dd479b00ba193ac6606e7902331dcea50f4f1f2","containerID":"docker://d80411bf54156c9f65c4887c4255dc545b8ebdf518d4d9470f23b0ad3f984b39","started":true}],"qosClass":"BestEffort"}},"requestReceivedTimestamp":"2021-05-24T09:29:44.384315Z","stageTimestamp":"2021-05-24T09:29:44.426816Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
相关实践学习
通过Ingress进行灰度发布
本场景您将运行一个简单的应用,部署一个新的应用用于新的发布,并通过Ingress能力实现灰度发布。
容器应用与集群管理
欢迎来到《容器应用与集群管理》课程,本课程是“云原生容器Clouder认证“系列中的第二阶段。课程将向您介绍与容器集群相关的概念和技术,这些概念和技术可以帮助您了解阿里云容器服务ACK/ACK Serverless的使用。同时,本课程也会向您介绍可以采取的工具、方法和可操作步骤,以帮助您了解如何基于容器服务ACK Serverless构建和管理企业级应用。 学习完本课程后,您将能够: 掌握容器集群、容器编排的基本概念 掌握Kubernetes的基础概念及核心思想 掌握阿里云容器服务ACK/ACK Serverless概念及使用方法 基于容器服务ACK Serverless搭建和管理企业级网站应用
相关文章
|
5月前
|
Kubernetes Ubuntu Docker
Kubernetes 审计(Auditing)
在 Kubernetes 1.22.2 环境中实施审计策略可以帮助管理员监控和记录集群中的资源操作,确保集群的安全性和符合性。通过启用审计 Admission Controller 和配置相应的审计策略,我们可以灵活地控制审计记录的格式和范围。 致力于一条龙式的为您解决问题
|
6月前
|
Kubernetes Docker 容器
k8s学习-CKS真题-Runtime设置gVisor
k8s学习-CKS真题-Runtime设置gVisor
96 0
|
存储 JSON Kubernetes
kubernetes Auditing 实战
kubernetes Auditing 实战
kubernetes Auditing 实战
|
Kubernetes 安全 容器
Kubernetes CKS【22】---Runtime Security -容器安全加固
Kubernetes CKS【22】---Runtime Security -容器安全加固
Kubernetes CKS【22】---Runtime Security -容器安全加固
|
Kubernetes 安全 容器
Kubernetes CKS【21】---Runtime Security -主机与容器行为安全分析(strace、/proc、env、falco)(2)
Kubernetes CKS【21】---Runtime Security -主机与容器行为安全分析(strace、/proc、env、falco)(2)
Kubernetes CKS【21】---Runtime Security -主机与容器行为安全分析(strace、/proc、env、falco)(2)
|
Kubernetes 安全 容器
Kubernetes CKS【21】---Runtime Security -主机与容器行为安全分析(strace、/proc、env、falco)(1)
Kubernetes CKS【21】---Runtime Security -主机与容器行为安全分析(strace、/proc、env、falco)(1)
Kubernetes CKS【21】---Runtime Security -主机与容器行为安全分析(strace、/proc、env、falco)(1)
|
Kubernetes Linux 容器
Kubernetes CKS【13】---Microservice Vulnerabilities - Container Runtime Sandboxes
Kubernetes CKS【13】---Microservice Vulnerabilities - Container Runtime Sandboxes
Kubernetes CKS【13】---Microservice Vulnerabilities - Container Runtime Sandboxes
|
Kubernetes 关系型数据库 MySQL
kustomize (五) 使用vars将 k8s runtime 数据注入容器
kustomize (五) 使用vars将 k8s runtime 数据注入容器
|
14天前
|
JSON Kubernetes 容灾
ACK One应用分发上线:高效管理多集群应用
ACK One应用分发上线,主要介绍了新能力的使用场景
|
15天前
|
Kubernetes 持续交付 开发工具
ACK One GitOps:ApplicationSet UI简化多集群GitOps应用管理
ACK One GitOps新发布了多集群应用控制台,支持管理Argo CD ApplicationSet,提升大规模应用和集群的多集群GitOps应用分发管理体验。