{"id":175,"date":"2023-01-22T14:46:27","date_gmt":"2023-01-22T14:46:27","guid":{"rendered":"https:\/\/devopsopen.com\/?p=175"},"modified":"2023-02-22T13:39:08","modified_gmt":"2023-02-22T13:39:08","slug":"security","status":"publish","type":"post","link":"https:\/\/devopsopen.com\/index.php\/2023\/01\/22\/security\/","title":{"rendered":"Security"},"content":{"rendered":"<h1>Security<\/h1>\n<h4 id=\"Summary\">Summary<\/h4>\n<ul class=\"ez-toc-page-1 ez-toc-heading-level-2\">\n<li><a title=\"Security Primitives\" href=\"#Security Primitives\"> Security Primitives<\/a><\/li>\n<li><a title=\"Authentication and service Accounts\" href=\"#Authentication and service Accounts\"> Authentication and service Accounts<\/a><\/li>\n<li><a title=\"TLS Basics and in Kubernetes\" href=\"#TLS Basics and in Kubernetes\"> TLS Basics and in Kubernetes<\/a><\/li>\n<li><a title=\"Certificates API\" href=\"#Certificates API\">Certificates API<\/a><\/li>\n<li><a title=\"KubeConfig\" href=\"#KubeConfig\"> KubeConfig<\/a><\/li>\n<li><a title=\"API Groups\" href=\"#API Groups\"> API Groups<\/a><\/li>\n<li><a title=\"Authorization\" href=\"#Authorization\"> Authorization<\/a><\/li>\n<li><a title=\"Role Based Access Controls (RBAC)\" href=\"#Role Based Access Controls (RBAC)\"> Role Based Access Controls (RBAC)<\/a><\/li>\n<li><a title=\"Cluster Roles and Role Bindings\" href=\"#Cluster Roles and Role Bindings\"> Cluster Roles and Role Bindings<\/a><\/li>\n<li><a title=\"Service Accounts\" href=\"#Service Accounts\"> Service Accounts<\/a><\/li>\n<li><a title=\"Image Security\" href=\"#Image Security\"> Image Security<\/a><\/li>\n<li><a title=\"Security Contexts\" href=\"#Security Contexts\"> Security Contexts<\/a><\/li>\n<li><a title=\"Network Policy\" href=\"#Network Policy\"> Network Policy<\/a><\/li>\n<li><a title=\"Kubectx and Kubens command line utilities\" href=\"#Kubectx and Kubens command line utilities\"> Kubectx and Kubens command line utilities<\/a><\/li>\n<\/ul>\n<h2 id=\"Security Primitives\"><a title=\"Summary\" href=\"#Summary\">Security Primitives<\/a><\/h2>\n<p>- Disable passwords and active SSH in evry host <br \/>- Who can access ? <br \/>\u00a0\u00a0\u00a0 * Files - Username and Passwords<br \/>\u00a0\u00a0\u00a0 * Fies - Username and token \u00a0<br \/>\u00a0\u00a0\u00a0 * Certificates<br \/>\u00a0\u00a0\u00a0 * External Authentication providers - LDAP \u00a0\u00a0<br \/>\u00a0\u00a0\u00a0 * Service Accounts <br \/>- What can they do? <br \/>\u00a0\u00a0\u00a0 * RBAC Authorization<br \/>\u00a0\u00a0\u00a0 * ABAC Authorization<br \/>\u00a0\u00a0\u00a0 * Node Authorization<br \/>\u00a0\u00a0\u00a0 * Webhook Mode<\/p>\n<h2 id=\"Authentication and service Accounts\"><a title=\"Summary\" href=\"#Summary\">Authentication and service Accounts<\/a><\/h2>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-203\" src=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/basic_auth.png\" alt=\"\" width=\"833\" height=\"770\" srcset=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/basic_auth.png 833w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/basic_auth-300x277.png 300w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/basic_auth-768x710.png 768w\" sizes=\"(max-width: 833px) 100vw, 833px\" \/><\/p>\n<h2 id=\"TLS Basics and in Kubernetes\"><a title=\"Summary\" href=\"#Summary\">TLS Basics and in Kubernetesr<\/a><\/h2>\n<p>- What are TLS Certificates<\/p>\n<p>TLS certificates are used to secure trafic between two points. the method is called encryption asymetric. You need public and privates keys.<\/p>\n<p>a public key can have many extension (*.crt or *.pem or ...), also for private key (*.key or *-key.pem....)<\/p>\n<p>for more information :<\/p>\n<ul>\n<li><strong>.pem <\/strong>\u2014 This is a (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between \u201c\u2014\u2013BEGIN CERTIFICATE\u2014\u2013\u201d and \u201c\u2014\u2013END CERTIFICATE\u2014\u2013\u201c<\/li>\n<li><strong>.cer, .crt, and .der<\/strong> \u2014 Although usually in binary DER form, Base64-encoded certificates are also common (see .pem above).<\/li>\n<li><strong>.p7b and .p7c<\/strong> \u2014 PKCS#7 SignedData structure without data, just certificate(s) or CRL(s).<\/li>\n<li><strong>.p12<\/strong> \u2014 PKCS#12 files may contain certificate(s) (public) and private keys (password protected).<\/li>\n<li><strong>.pfx<\/strong> \u2014 PFX is the predecessor of PKCS#12. This type of file usually contains data in PKCS#12 format (e.g., with PFX files generated in IIS).<\/li>\n<\/ul>\n<p>- How does Kubernetes use certificates<\/p>\n<p>users like admin, Kube-Scheduler, Kube-Controller-Manager, Kube-Proxy they call Kube-API-Server<\/p>\n<p>Kube-APi-Server is called by other component and it Call ETCD-Server and Kubelet-Server\u00a0<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-224\" src=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/certificates.png\" alt=\"\" width=\"1134\" height=\"575\" srcset=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/certificates.png 1134w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/certificates-300x152.png 300w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/certificates-1024x519.png 1024w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/certificates-768x389.png 768w\" sizes=\"(max-width: 1134px) 100vw, 1134px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>In our case All certificates are generated with the same CA, but ETCD can be generated by other CA.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-225\" src=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/certifcates-ca.png\" alt=\"\" width=\"991\" height=\"622\" srcset=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/certifcates-ca.png 991w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/certifcates-ca-300x188.png 300w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/certifcates-ca-768x482.png 768w\" sizes=\"(max-width: 991px) 100vw, 991px\" \/><\/p>\n<p>- How to generate them<\/p>\n<p>Have the CA (Certificate Autority - Symantec, GlobalSign,digicert...) or generate it<\/p>\n<blockquote>\n<pre>the first thing is to generate the CA certificate : <strong>openssl genrsa -out ca.key 2048<\/strong><br \/><br \/>then generate the CSR (Certificate Signing Request) : <strong>openssl req -new -key ca.key -subj \"\/CN=KUBERNETES-CA\" -out ca.csr<\/strong><br \/><br \/>Eventually sign the certificate : <strong>openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt<\/strong><\/pre>\n<\/blockquote>\n<p>Generate the User or admin certificate :<\/p>\n<blockquote>\n<pre>the first thing is to generate admin private key : <strong>openssl genrsa -out admin.key 2048<\/strong><br \/><br \/>then generate the CSR (Certificate Signing Request) :<strong> openssl req -new -key admin.key -subj \"\/CN=Kube-admin\" -out admin.csr<\/strong><br \/><br \/>Eventually sign the certificate : <strong>openssl x509 -req -in admin.csr -CA ca.crt\u00a0 -CAkey ca.key -out admin.crt<\/strong><\/pre>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<p>- How to configure them<\/p>\n<p>for APISERVER:<\/p>\n<blockquote>\n<pre><span id=\"page513R_mcid83\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiVersion<\/span><\/span><span id=\"page513R_mcid84\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page513R_mcid85\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">v1<\/span><\/span><span id=\"page513R_mcid86\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">clusters:<\/span><\/span><span id=\"page513R_mcid87\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page513R_mcid88\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">cluster:<\/span><\/span><span id=\"page513R_mcid89\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">certificate<\/span><\/span><span id=\"page513R_mcid90\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page513R_mcid91\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">authority:<\/span><\/span><span id=\"page513R_mcid92\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">ca.crt<\/span><\/span><span id=\"page513R_mcid93\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">server:<\/span><\/span><span id=\"page513R_mcid94\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">https:\/\/kube<\/span><\/span><span id=\"page513R_mcid95\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page513R_mcid96\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiserver:6443<\/span><\/span><span id=\"page513R_mcid97\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">name:<\/span><\/span><span id=\"page513R_mcid98\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page513R_mcid99\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">kind:<\/span><\/span><span id=\"page513R_mcid100\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">Config<\/span><\/span><span id=\"page513R_mcid101\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">users:<\/span><\/span><span id=\"page513R_mcid102\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page513R_mcid103\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">name:<\/span><\/span><span id=\"page513R_mcid104\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page513R_mcid105\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page513R_mcid106\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">admin<\/span><\/span><span id=\"page513R_mcid107\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">user:<\/span><\/span><span id=\"page513R_mcid108\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">client<\/span><\/span><span id=\"page513R_mcid109\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page513R_mcid110\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">certificate:<\/span><\/span><span id=\"page513R_mcid111\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">admin.crt<\/span><\/span><span id=\"page513R_mcid112\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">client<\/span><\/span><span id=\"page513R_mcid113\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page513R_mcid114\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">key:<\/span><\/span><span id=\"page513R_mcid115\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">admin.key<\/span><\/span><span id=\"page513R_mcid116\" class=\"markedContent\"><\/span><span id=\"page513R_mcid117\" class=\"markedContent\"><br role=\"presentation\" \/><\/span><\/pre>\n<\/blockquote>\n<p>Call api server with certificate :<\/p>\n<blockquote>\n<pre><span id=\"page513R_mcid70\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">curl https:\/\/kube<\/span><\/span><span id=\"page513R_mcid71\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page513R_mcid72\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiserver:6443\/api\/v1\/pods<\/span><\/span><span id=\"page513R_mcid73\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page513R_mcid74\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page513R_mcid75\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">key<\/span><\/span><span id=\"page513R_mcid76\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">admin.key<\/span><\/span><span id=\"page513R_mcid77\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page513R_mcid78\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">cert admin.crt<\/span><\/span><span id=\"page513R_mcid79\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page513R_mcid80\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">cacert<\/span><\/span><span id=\"page513R_mcid81\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">ca.crt<\/span><\/span><\/pre>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<p>for ETCD<\/p>\n<blockquote>\n<pre><span id=\"page535R_mcid166\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid167\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">etcd<\/span><\/span><span id=\"page535R_mcid168\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid169\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid170\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">advertise<\/span><\/span><span id=\"page535R_mcid171\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid172\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">client<\/span><\/span><span id=\"page535R_mcid173\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid174\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">urls<\/span><\/span><span id=\"page535R_mcid175\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">=https:\/\/127.0.0.1:2379<\/span><\/span><span id=\"page535R_mcid176\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid177\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid178\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">key<\/span><\/span><span id=\"page535R_mcid179\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid180\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">file=\/path<\/span><\/span><span id=\"page535R_mcid181\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid182\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">to<\/span><\/span><span id=\"page535R_mcid183\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid184\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">certs\/<\/span><\/span><span id=\"page535R_mcid185\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etcdserver.key<\/span><\/span><span id=\"page535R_mcid186\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid187\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid188\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">cert<\/span><\/span><span id=\"page535R_mcid189\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid190\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">file=\/path<\/span><\/span><span id=\"page535R_mcid191\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid192\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">to<\/span><\/span><span id=\"page535R_mcid193\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid194\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">certs\/etcdserver.crt<\/span><\/span><span id=\"page535R_mcid195\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid196\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid197\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">client<\/span><\/span><span id=\"page535R_mcid198\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid199\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">cert<\/span><\/span><span id=\"page535R_mcid200\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid201\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">auth=true<\/span><\/span><span id=\"page535R_mcid202\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid203\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid204\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">data<\/span><\/span><span id=\"page535R_mcid205\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid206\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">dir<\/span><\/span><span id=\"page535R_mcid207\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">=\/var\/lib\/<\/span><\/span><span id=\"page535R_mcid208\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etcd<\/span><\/span><span id=\"page535R_mcid209\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid210\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid211\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">initial<\/span><\/span><span id=\"page535R_mcid212\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid213\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">advertise<\/span><\/span><span id=\"page535R_mcid214\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid215\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">peer<\/span><\/span><span id=\"page535R_mcid216\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid217\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">urls<\/span><\/span><span id=\"page535R_mcid218\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">=https:\/\/127.0.0.1:2380<\/span><\/span><span id=\"page535R_mcid219\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid220\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid221\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">initial<\/span><\/span><span id=\"page535R_mcid222\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid223\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">cluster=master=https:\/\/127.0.0.1:2380<\/span><\/span><span id=\"page535R_mcid224\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid225\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid226\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">listen<\/span><\/span><span id=\"page535R_mcid227\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid228\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">client<\/span><\/span><span id=\"page535R_mcid229\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid230\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">urls<\/span><\/span><span id=\"page535R_mcid231\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">=https:\/\/127.0.0.1:2379<\/span><\/span><span id=\"page535R_mcid232\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid233\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid234\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">listen<\/span><\/span><span id=\"page535R_mcid235\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid236\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">peer<\/span><\/span><span id=\"page535R_mcid237\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid238\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">urls<\/span><\/span><span id=\"page535R_mcid239\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">=https:\/\/127.0.0.1:2380<\/span><\/span><span id=\"page535R_mcid240\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid241\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid242\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">name=master<\/span><\/span><span id=\"page535R_mcid243\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid244\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid245\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">peer<\/span><\/span><span id=\"page535R_mcid246\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid247\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">cert<\/span><\/span><span id=\"page535R_mcid248\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid249\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">file=\/path<\/span><\/span><span id=\"page535R_mcid250\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid251\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">to<\/span><\/span><span id=\"page535R_mcid252\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid253\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">certs\/etcdpeer1.crt<\/span><\/span><span id=\"page535R_mcid254\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid255\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid256\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">peer<\/span><\/span><span id=\"page535R_mcid257\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid258\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">client<\/span><\/span><span id=\"page535R_mcid259\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid260\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">cert<\/span><\/span><span id=\"page535R_mcid261\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid262\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">auth=true<\/span><\/span><span id=\"page535R_mcid263\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid264\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid265\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">peer<\/span><\/span><span id=\"page535R_mcid266\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid267\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">key<\/span><\/span><span id=\"page535R_mcid268\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid269\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">file=\/<\/span><\/span><span id=\"page535R_mcid270\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etc<\/span><\/span><span id=\"page535R_mcid271\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/<\/span><\/span><span id=\"page535R_mcid272\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page535R_mcid273\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/<\/span><\/span><span id=\"page535R_mcid274\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">pki<\/span><\/span><span id=\"page535R_mcid275\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/<\/span><\/span><span id=\"page535R_mcid276\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etcd<\/span><\/span><span id=\"page535R_mcid277\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/<\/span><\/span><span id=\"page535R_mcid278\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">peer.key<\/span><\/span><span id=\"page535R_mcid279\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid280\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid281\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">peer<\/span><\/span><span id=\"page535R_mcid282\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid283\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">trusted<\/span><\/span><span id=\"page535R_mcid284\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid285\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">ca<\/span><\/span><span id=\"page535R_mcid286\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid287\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">file=\/<\/span><\/span><span id=\"page535R_mcid288\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etc<\/span><\/span><span id=\"page535R_mcid289\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/<\/span><\/span><span id=\"page535R_mcid290\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page535R_mcid291\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/<\/span><\/span><span id=\"page535R_mcid292\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">pki<\/span><\/span><span id=\"page535R_mcid293\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/<\/span><\/span><span id=\"page535R_mcid294\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etcd<\/span><\/span><span id=\"page535R_mcid295\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/ca.crt<\/span><\/span><span id=\"page535R_mcid296\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid297\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid298\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">snapshot<\/span><\/span><span id=\"page535R_mcid299\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid300\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">count=10000<\/span><\/span><span id=\"page535R_mcid301\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid302\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page535R_mcid303\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">trusted<\/span><\/span><span id=\"page535R_mcid304\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid305\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">ca<\/span><\/span><span id=\"page535R_mcid306\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page535R_mcid307\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">file=\/<\/span><\/span><span id=\"page535R_mcid308\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etc<\/span><\/span><span id=\"page535R_mcid309\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/<\/span><\/span><span id=\"page535R_mcid310\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page535R_mcid311\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/<\/span><\/span><span id=\"page535R_mcid312\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">pki<\/span><\/span><span id=\"page535R_mcid313\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/<\/span><\/span><span id=\"page535R_mcid314\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etcd<\/span><\/span><span id=\"page535R_mcid315\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/ca.crt<\/span><\/span><\/pre>\n<\/blockquote>\n<p>- How to view them <br \/>- How to troubleshoot issues related to certificates<\/p>\n<p>You can also prepare a table to organise certificates<\/p>\n<table>\n<tbody>\n<tr>\n<td>Component<\/td>\n<td>Type<\/td>\n<td>Certificate Path<\/td>\n<td>CN Name<\/td>\n<td>ALT Names<\/td>\n<td>Organization<\/td>\n<td>Issuer<\/td>\n<td>Expiration<\/td>\n<\/tr>\n<tr>\n<td>Server<\/td>\n<td>Type<\/td>\n<td>\/etc\/kubernetets\/pki\/apiserver.crt<\/td>\n<td>kube-apiserver<\/td>\n<td>DNS:master DNS:kuberntetes DNS:kuberenetes.default<\/td>\n<td>server<\/td>\n<td>self<\/td>\n<td>Feb 805:52 2019<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 id=\"Certificates API\"><a title=\"Summary\" href=\"#Summary\">Certificates API<\/a><\/h2>\n<p>Users create CSR Object to call\u00a0 api server like:<\/p>\n<blockquote>\n<pre><span id=\"page513R_mcid70\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">curl https:\/\/kube<\/span><\/span><span id=\"page513R_mcid71\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page513R_mcid72\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiserver:6443\/api\/v1\/pods<\/span><\/span><span id=\"page513R_mcid73\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page513R_mcid74\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page513R_mcid75\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">key<\/span><\/span><span id=\"page513R_mcid76\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">admin.key<\/span><\/span><span id=\"page513R_mcid77\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page513R_mcid78\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">cert admin.crt<\/span><\/span><span id=\"page513R_mcid79\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page513R_mcid80\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">cacert<\/span><\/span><span id=\"page513R_mcid81\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">ca.crt<\/span><\/span><\/pre>\n<\/blockquote>\n<p>\u00a0to do that we should :<\/p>\n<p>- Review Requests<\/p>\n<p>- Approve request<\/p>\n<p>- Share certs to users<\/p>\n<p>&nbsp;<\/p>\n<p>Steps to apply :<\/p>\n<blockquote>\n<pre><span id=\"page669R_mcid40\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">openssl<\/span><\/span><span id=\"page669R_mcid41\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">genrsa<\/span><\/span><span id=\"page669R_mcid42\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page669R_mcid43\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">out<\/span><\/span><span id=\"page669R_mcid44\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">jane.key<\/span><\/span><span id=\"page669R_mcid45\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">2048<\/span><\/span> \u00a0 ==&gt; jane.key<br \/><br \/><span id=\"page669R_mcid25\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">openssl<\/span><\/span><span id=\"page669R_mcid26\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">req<\/span><\/span><span id=\"page669R_mcid27\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page669R_mcid28\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">new<\/span><\/span><span id=\"page669R_mcid29\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page669R_mcid30\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">key<\/span><\/span><span id=\"page669R_mcid31\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">jane.key<\/span><\/span><span id=\"page669R_mcid32\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page669R_mcid33\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">subj \"\/CN=jane\"<\/span><\/span><span id=\"page669R_mcid34\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page669R_mcid35\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">out<\/span><\/span><span id=\"page669R_mcid36\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">jane.csr<\/span><\/span><span id=\"page669R_mcid37\" class=\"markedContent\"><\/span><span id=\"page669R_mcid38\" class=\"markedContent\"><br role=\"presentation\" \/><\/span><span id=\"page669R_mcid39\" class=\"markedContent\"><\/span><span id=\"page669R_mcid40\" class=\"markedContent\"><\/span><br \/><br \/><span id=\"undefined\" class=\"markedContent\"><\/span><span id=\"undefined\" class=\"markedContent\"><\/span><span id=\"page669R_mcid0\" class=\"markedContent\"><\/span><span id=\"page669R_mcid1\" class=\"markedContent\"><\/span><span id=\"page669R_mcid2\" class=\"markedContent\"><\/span><span id=\"page669R_mcid3\" class=\"markedContent\"><\/span><span id=\"page669R_mcid4\" class=\"markedContent\"><\/span><span id=\"page669R_mcid5\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">jane.csr<\/span><\/span><span id=\"page669R_mcid6\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-----<\/span><\/span><span id=\"page669R_mcid7\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">BEGIN CERTIFICATE REQUEST<\/span><\/span><span id=\"page669R_mcid8\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-----<\/span><\/span><span id=\"page669R_mcid9\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">MIICWDCCAUACAQAwEzERMA8GA1UEAwwIbmV3LXVzZXIwggEiMA0GCSqGSIb3DQEB<\/span><\/span><span id=\"page669R_mcid10\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">AQUAA4IBDwAwggEKAoIBAQDO0WJW+DXsAJSIrjpNo5vRIBplnzg+6xc9+UVwkKi0<\/span><\/span><span id=\"page669R_mcid11\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">LfC27t+1eEnON5Muq99NevmMEOnrDUO\/thyVqP2w2XNIDRXjYyF40FbmD+5zWyCK<\/span><\/span><span id=\"page669R_mcid12\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">9w0BAQsFAAOCAQEAS9iS6C1uxTuf5BBYSU7QFQHUzalNxAdYsaORRQNwHZwHqGi4<\/span><\/span><span id=\"page669R_mcid13\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">hOK4a2zyNyi44OOijyaD6tUW8DSxkr8BLK8Kg3srREtJql5rLZy9LRVrsJghD4gY<\/span><\/span><span id=\"page669R_mcid14\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">P9NL+aDRSxROVSqBaB2nWeYpM5cJ5TF53lesNSNMLQ2++RMnjDQJ7juPEic8\/<\/span><\/span><span id=\"page669R_mcid15\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">dhk<\/span><\/span><span id=\"page669R_mcid16\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">Wr2EUM6UawzykrdHImwTv2mlMY0R+DNtV1Yie+0H9\/YElt+FSGjh5L5YUvI1Dqiy<\/span><\/span><span id=\"page669R_mcid17\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">4l3E\/y3qL71WfAcuH3OsVpUUnQISMdQs0qWCsbE56CC5DhPGZIpUbnKUpAwka+8E<\/span><\/span><span id=\"page669R_mcid18\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">vwQ07jG+hpknxmuFAeXxgUwodALaJ7ju\/<\/span><\/span><span id=\"page669R_mcid19\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">TDIcw<\/span><\/span><span id=\"page669R_mcid20\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">==<\/span><\/span><span id=\"page669R_mcid21\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-----<\/span><\/span><span id=\"page669R_mcid22\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">END CERTIFICATE REQUEST<\/span><\/span><span id=\"page669R_mcid23\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-----<\/span><\/span><span id=\"page669R_mcid24\" class=\"markedContent\"><\/span><span id=\"page669R_mcid25\" class=\"markedContent\"><br role=\"presentation\" \/><\/span><span id=\"page669R_mcid40\" class=\"markedContent\"><\/span><\/pre>\n<p>&nbsp;<\/p>\n<pre><span id=\"page676R_mcid59\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">cat<\/span><\/span><span id=\"page676R_mcid60\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">jane.csr<\/span><\/span><span id=\"page676R_mcid61\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">| base64<\/span><\/span><br \/><br \/><span id=\"page691R_mcid128\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDakNDQWZLZ0F3SUJBZ0lVRmwy<\/span><\/span><span id=\"page691R_mcid129\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">Q2wxYXoxaWl5M3JNVisreFRYQUowU3dnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRN<\/span><\/span><span id=\"page691R_mcid130\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">QkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweE9UQXlNVE14TmpNeU1EQmFGd1dn<\/span><\/span><span id=\"page691R_mcid131\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">Y0ZFeDl2ajNuSXY3eFdDS1NIRm5sU041c0t5Z0VxUkwzTFM5V29GelhHZDdWCmlEZ2FO<\/span><\/span><span id=\"page691R_mcid132\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">MVVRMFBXTVhjN09FVnVjSWc1Yk4weEVHTkVwRU5tdUlBNlZWeHVjS1h6aG9ldDY0MEd1<\/span><\/span><span id=\"page691R_mcid133\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">MGU0YXFKWVIKWmVMbjBvRTFCY3dod2xic0I1ND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUt<\/span><\/span><span id=\"page691R_mcid134\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">LS0tLQo=<\/span><\/span><\/pre>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<p>into jane-csr.yaml put<\/p>\n<blockquote>\n<pre><span id=\"page676R_mcid25\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiVersion<\/span><\/span><span id=\"page676R_mcid26\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page676R_mcid27\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">certificates.k8s.io\/v1beta1<\/span><\/span><span id=\"page676R_mcid28\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">kind:<\/span><\/span><span id=\"page676R_mcid29\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">CertificateSigningRequest<\/span><\/span><span id=\"page676R_mcid30\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">metadata:<\/span><\/span><span id=\"page676R_mcid31\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">name:<\/span><\/span><span id=\"page676R_mcid32\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">jane<\/span><\/span><span id=\"page676R_mcid33\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">spec:<\/span><\/span><span id=\"page676R_mcid34\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">groups:<\/span><\/span><span id=\"page676R_mcid35\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page676R_mcid36\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">system:authenticated<\/span><\/span><span id=\"page676R_mcid37\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">usages:<\/span><\/span><span id=\"page676R_mcid38\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page676R_mcid39\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">digital signature<\/span><\/span><span id=\"page676R_mcid40\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page676R_mcid41\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">key<\/span> <span dir=\"ltr\" role=\"presentation\">encipherment<\/span><\/span><span id=\"page676R_mcid42\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page676R_mcid43\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">server<\/span> <span dir=\"ltr\" role=\"presentation\">auth<\/span><\/span><span id=\"page676R_mcid44\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">reque<\/span><\/span>st:<br \/><br \/><span id=\"page691R_mcid128\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDakNDQWZLZ0F3SUJBZ0lVRmwy<\/span><\/span><span id=\"page691R_mcid129\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">Q2wxYXoxaWl5M3JNVisreFRYQUowU3dnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRN<\/span><\/span><span id=\"page691R_mcid130\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">QkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweE9UQXlNVE14TmpNeU1EQmFGd1dn<\/span><\/span><span id=\"page691R_mcid131\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">Y0ZFeDl2ajNuSXY3eFdDS1NIRm5sU041c0t5Z0VxUkwzTFM5V29GelhHZDdWCmlEZ2FO<\/span><\/span><span id=\"page691R_mcid132\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">MVVRMFBXTVhjN09FVnVjSWc1Yk4weEVHTkVwRU5tdUlBNlZWeHVjS1h6aG9ldDY0MEd1<\/span><\/span><span id=\"page691R_mcid133\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">MGU0YXFKWVIKWmVMbjBvRTFCY3dod2xic0I1ND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUt<\/span><\/span><span id=\"page691R_mcid134\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">LS0tLQo=<\/span><\/span><\/pre>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<p>Check requests :<\/p>\n<blockquote>\n<pre><span id=\"undefined\" class=\"markedContent\"><\/span><span id=\"undefined\" class=\"markedContent\"><\/span><span id=\"page683R_mcid0\" class=\"markedContent\"><\/span><span id=\"page683R_mcid1\" class=\"markedContent\"><\/span><span id=\"undefined\" class=\"markedContent\"><\/span><span id=\"undefined\" class=\"markedContent\"><\/span><span id=\"page683R_mcid0\" class=\"markedContent\"><\/span><span id=\"page683R_mcid1\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubectl<\/span><\/span><span id=\"page683R_mcid2\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">get<\/span><\/span><span id=\"page683R_mcid3\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">csr<\/span><\/span><span id=\"page683R_mcid4\" class=\"markedContent\"><\/span><span id=\"page683R_mcid5\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">NAME<\/span> <span dir=\"ltr\" role=\"presentation\">AGE<\/span> <span dir=\"ltr\" role=\"presentation\">REQUESTOR<\/span> <span dir=\"ltr\" role=\"presentation\">CONDITION<\/span><\/span><span id=\"page683R_mcid6\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">jane<\/span><\/span><span id=\"page683R_mcid7\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">10m<\/span> <span dir=\"ltr\" role=\"presentation\">admin@example.com<\/span><\/span><span id=\"page683R_mcid8\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">Pending<\/span><\/span><\/pre>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<p>Approve requsts:<\/p>\n<blockquote>\n<pre><span id=\"page683R_mcid10\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubectl<\/span><\/span><span id=\"page683R_mcid11\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">certificate approve jane<\/span><\/span><span id=\"page683R_mcid12\" class=\"markedContent\"><\/span><span id=\"page683R_mcid13\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">jane approved!<\/span><\/span><\/pre>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<p>Checks jane requests after approve:<\/p>\n<blockquote>\n<pre><span id=\"undefined\" class=\"markedContent\"><\/span><span id=\"undefined\" class=\"markedContent\"><\/span><span id=\"page691R_mcid0\" class=\"markedContent\"><\/span><span id=\"page691R_mcid1\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubectl<\/span><\/span><span id=\"page691R_mcid2\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">get<\/span><\/span><span id=\"page691R_mcid3\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">csr<\/span><\/span><span id=\"page691R_mcid4\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">jane<\/span><\/span><span id=\"page691R_mcid5\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page691R_mcid6\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">o<\/span><\/span><span id=\"page691R_mcid7\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">yaml<\/span><\/span><span id=\"page691R_mcid8\" class=\"markedContent\"><\/span><span id=\"page691R_mcid9\" class=\"markedContent\"><\/span><\/pre>\n<pre><span id=\"page691R_mcid9\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">apiVersion<\/span><\/span><span id=\"page691R_mcid10\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">: certificates.k8s.io\/v1beta1<\/span><\/span><span id=\"page691R_mcid11\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">kind:<\/span><\/span><span id=\"page691R_mcid12\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">CertificateSigningRequest<\/span><\/span><span id=\"page691R_mcid13\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">metadata:<\/span><\/span><span id=\"page691R_mcid14\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">creationTimestamp<\/span><\/span><span id=\"page691R_mcid15\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">: 2019<\/span><\/span><span id=\"page691R_mcid16\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page691R_mcid17\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">02<\/span><\/span><span id=\"page691R_mcid18\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page691R_mcid19\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">13T16:36:43Z<\/span><\/span><span id=\"page691R_mcid20\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">name: new<\/span><\/span><span id=\"page691R_mcid21\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page691R_mcid22\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">user<\/span><\/span><span id=\"page691R_mcid23\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">spec:<\/span><\/span><span id=\"page691R_mcid24\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">groups:<\/span><\/span><span id=\"page691R_mcid25\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page691R_mcid26\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">system:masters<\/span><\/span><span id=\"page691R_mcid27\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page691R_mcid28\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">system:authenticated<\/span><\/span><span id=\"page691R_mcid29\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">usages:<\/span><\/span><span id=\"page691R_mcid30\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page691R_mcid31\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">digital signature<\/span><\/span><span id=\"page691R_mcid32\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page691R_mcid33\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">key encipherment<\/span><\/span><span id=\"page691R_mcid34\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page691R_mcid35\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">server auth<\/span><\/span><span id=\"page691R_mcid36\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">username:<\/span><\/span><span id=\"page691R_mcid37\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page691R_mcid38\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page691R_mcid39\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">admin<\/span><\/span><span id=\"page691R_mcid40\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">status:<\/span><\/span><span id=\"page691R_mcid41\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">certificate:<\/span><\/span><span id=\"page691R_mcid42\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDakNDQWZLZ0F3SUJBZ0lVRmwy<\/span><\/span><span id=\"page691R_mcid43\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">Q2wxYXoxaWl5M3JNVisreFRYQUowU3dnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRN<\/span><\/span><span id=\"page691R_mcid44\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">QkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweE9UQXlNVE14TmpNeU1EQmFGd1dn<\/span><\/span><span id=\"page691R_mcid45\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">Y0ZFeDl2ajNuSXY3eFdDS1NIRm5sU041c0t5Z0VxUkwzTFM5V29GelhHZDdWCmlEZ2FO<\/span><\/span><span id=\"page691R_mcid46\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">MVVRMFBXTVhjN09FVnVjSWc1Yk4weEVHTkVwRU5tdUlBNlZWeHVjS1h6aG9ldDY0MEd1<\/span><\/span><span id=\"page691R_mcid47\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">MGU0YXFKWVIKWmVMbjBvRTFCY3dod2xic0I1ND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUt<\/span><\/span><span id=\"page691R_mcid48\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">LS0tLQo=<\/span><\/span><span id=\"page691R_mcid49\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">conditions:<\/span><\/span><span id=\"page691R_mcid50\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page691R_mcid51\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">lastUpdateTime<\/span><\/span><span id=\"page691R_mcid52\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">: 2019<\/span><\/span><span id=\"page691R_mcid53\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page691R_mcid54\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">02<\/span><\/span><span id=\"page691R_mcid55\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page691R_mcid56\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">13T16:37:21Z<\/span><\/span><span id=\"page691R_mcid57\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">message: This CSR was approved by<\/span><\/span><span id=\"page691R_mcid58\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">kubectl<\/span><\/span><span id=\"page691R_mcid59\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">certificate approve.<\/span><\/span><span id=\"page691R_mcid60\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">reason:<\/span><\/span><span id=\"page691R_mcid61\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">KubectlApprove<\/span><\/span><span id=\"page691R_mcid62\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">type: Approved<\/span><\/span><span id=\"page691R_mcid63\" class=\"markedContent\"><\/span><span id=\"page691R_mcid64\" class=\"markedContent\"><br role=\"presentation\" \/><\/span><br \/><span id=\"page691R_mcid87\" class=\"markedContent\"><\/span><span id=\"page691R_mcid88\" class=\"markedContent\"><\/span><\/pre>\n<\/blockquote>\n<p><span id=\"page691R_mcid88\" class=\"markedContent\">Decode certificate<\/span><\/p>\n<blockquote>\n<pre><span id=\"page691R_mcid88\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">echo \u201cLS0...<\/span><\/span><span id=\"page691R_mcid89\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">Qo<\/span><\/span><span id=\"page691R_mcid90\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">=\u201d | base64<\/span><\/span><span id=\"page691R_mcid91\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page691R_mcid92\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">decode<\/span><\/span><span id=\"page691R_mcid93\" class=\"markedContent\"><\/span><span id=\"page691R_mcid94\" class=\"markedContent\"><\/span><span id=\"page691R_mcid95\" class=\"markedContent\"><br role=\"presentation\" \/><\/span><span id=\"page691R_mcid128\" class=\"markedContent\"><br role=\"presentation\" \/><\/span><span id=\"page691R_mcid64\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-----<\/span><\/span><span id=\"page691R_mcid65\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">BEGIN CERTIFICATE<\/span><\/span><span id=\"page691R_mcid66\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">-----<\/span><\/span><span id=\"page691R_mcid67\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">MIICWDCCAUACAQAwEzERMA8GA1UEAwwIbmV3LXVzZXIwgg<\/span><\/span><span id=\"page691R_mcid68\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">AQUAA4IBDwAwggEKAoIBAQDO0WJW+DXsAJSIrjpNo5vRIB<\/span><\/span><span id=\"page691R_mcid69\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">LfC27t+1eEnON5Muq99NevmMEOnrDUO\/thyVqP2w2XNIDR<\/span><\/span><span id=\"page691R_mcid70\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">y3BihhB93MJ7Oql3UTvZ8TELqyaDknRl\/<\/span><\/span><span id=\"page691R_mcid71\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">jv<\/span><\/span><span id=\"page691R_mcid72\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/SxgXkok0AB<\/span><\/span><span id=\"page691R_mcid73\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">IF5nxAttMVkDPQ7NbeZRG43b+QWlVGR\/z6DWOfJnbfezOt<\/span><\/span><span id=\"page691R_mcid74\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">EcCXAwqChjBLkz2BHPR4J89D6Xb8k39pu6jpyngV6uP0tI<\/span><\/span><span id=\"page691R_mcid75\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">j2qEL+hZEWkkFz80lNNtyT5LxMqENDCnIgwC4GZiRGbrAg<\/span><\/span><span id=\"page691R_mcid76\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">9w0BAQsFAAOCAQEAS9iS6C1uxTuf5BBYSU7QFQHUzalNxA<\/span><\/span><span id=\"page691R_mcid77\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">hOK4a2zyNyi44OOijyaD6tUW8DSxkr8BLK8Kg3srREtJql<\/span><\/span><span id=\"page691R_mcid78\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">P9NL+aDRSxROVSqBaB2nWeYpM5cJ5TF53lesNSNMLQ2++R<\/span><\/span><span id=\"page691R_mcid79\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">Wr2EUM6UawzykrdHImwTv2mlMY0R+DNtV1Yie+0H9\/YElt<\/span><\/span><span id=\"page691R_mcid80\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">4l3E\/y3qL71WfAcuH3OsVpUUnQISMdQs0qWCsbE56CC5Dh<\/span><\/span><span id=\"page691R_mcid81\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">vwQ07jG+hpknxmuFAeXxgUwodALaJ7ju\/<\/span><\/span><span id=\"page691R_mcid82\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">TDIcw<\/span><\/span><span id=\"page691R_mcid83\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">==<\/span><\/span><span id=\"page691R_mcid84\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-----<\/span><\/span><span id=\"page691R_mcid85\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">END CERTIFICATE<\/span><\/span><span id=\"page691R_mcid86\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">-----<\/span><\/span><\/pre>\n<\/blockquote>\n<h2 id=\"KubeConfig\"><a title=\"Summary\" href=\"#Summary\">KubeConfig<\/a><\/h2>\n<p>config file hosted into $HOME\/.kube\/config has tree sections : Clusters (dev, production, Google...) , Context (dev@dev_User, admin@Google) and Users(Admin, dev_User, Pord_User)<\/p>\n<p>The context : what user can acces a wich Cluster<\/p>\n<p>Config file in a yaml format :<\/p>\n<blockquote>\n<pre><span id=\"undefined\" class=\"markedContent\"><\/span><span id=\"undefined\" class=\"markedContent\"><\/span><span id=\"undefined\" class=\"markedContent\"><\/span><span id=\"page781R_mcid0\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">Kubectl<\/span><\/span><span id=\"page781R_mcid1\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">config<\/span><\/span><span id=\"page781R_mcid2\" class=\"markedContent\"><\/span><span id=\"page781R_mcid3\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">apiVersion<\/span><\/span><span id=\"page781R_mcid4\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">: v1<\/span><\/span><span id=\"page781R_mcid5\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">kind: Config<\/span><\/span><span id=\"page781R_mcid6\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">current<\/span><\/span><span id=\"page781R_mcid7\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page781R_mcid8\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">context:<\/span><\/span><span id=\"page781R_mcid9\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page781R_mcid10\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page781R_mcid11\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">admin@kubernetes<\/span><\/span><span id=\"page781R_mcid12\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">clusters:<\/span><\/span><span id=\"page781R_mcid13\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page781R_mcid14\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">cluster:<\/span><\/span><span id=\"page781R_mcid15\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">certificate<\/span><\/span><span id=\"page781R_mcid16\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page781R_mcid17\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">authority<\/span><\/span><span id=\"page781R_mcid18\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page781R_mcid19\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">data: REDACTED<\/span><\/span><span id=\"page781R_mcid20\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">server: https:\/\/172.17.0.5:6443<\/span><\/span><span id=\"page781R_mcid21\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">name:<\/span><\/span><span id=\"page781R_mcid22\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page781R_mcid23\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">contexts:<\/span><\/span><span id=\"page781R_mcid24\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page781R_mcid25\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">context:<\/span><\/span><span id=\"page781R_mcid26\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">cluster:<\/span><\/span><span id=\"page781R_mcid27\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page781R_mcid28\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">user:<\/span><\/span><span id=\"page781R_mcid29\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page781R_mcid30\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page781R_mcid31\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">admin<\/span><\/span><span id=\"page781R_mcid32\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">name:<\/span><\/span><span id=\"page781R_mcid33\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page781R_mcid34\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page781R_mcid35\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">admin@kubernetes<\/span><\/span><span id=\"page781R_mcid36\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">users:<\/span><\/span><span id=\"page781R_mcid37\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page781R_mcid38\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">name:<\/span><\/span><span id=\"page781R_mcid39\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page781R_mcid40\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page781R_mcid41\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">admin<\/span><\/span><span id=\"page781R_mcid42\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">user:<\/span><\/span><span id=\"page781R_mcid43\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">client<\/span><\/span><span id=\"page781R_mcid44\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page781R_mcid45\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">certificate<\/span><\/span><span id=\"page781R_mcid46\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page781R_mcid47\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">data: REDACTED<\/span><\/span><span id=\"page781R_mcid48\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">client<\/span><\/span><span id=\"page781R_mcid49\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page781R_mcid50\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">key<\/span><\/span><span id=\"page781R_mcid51\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page781R_mcid52\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">data: REDACTED<\/span><\/span><\/pre>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<p>You can use the command :<\/p>\n<blockquote>\n<pre>kubectl config view<\/pre>\n<\/blockquote>\n<p>You can put the certificate into config file but with 64 base :<\/p>\n<blockquote>\n<pre><span id=\"undefined\" class=\"markedContent\"><\/span><span id=\"undefined\" class=\"markedContent\"><\/span><span id=\"undefined\" class=\"markedContent\"><\/span><span id=\"page811R_mcid0\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">Certificates in<\/span><\/span><span id=\"page811R_mcid1\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">KubeConfig<\/span><\/span><span id=\"page811R_mcid2\" class=\"markedContent\"><\/span><span id=\"page811R_mcid3\" class=\"markedContent\"><\/span><span id=\"page811R_mcid4\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">apiVersion<\/span><\/span><span id=\"page811R_mcid5\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page811R_mcid6\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">v1<\/span><\/span><span id=\"page811R_mcid7\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">kind:<\/span><\/span><span id=\"page811R_mcid8\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">Config<\/span><\/span><span id=\"page811R_mcid9\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">clusters:<\/span><\/span><span id=\"page811R_mcid10\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page811R_mcid11\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">name:<\/span><\/span><span id=\"page811R_mcid12\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">production<\/span><\/span><span id=\"page811R_mcid13\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">cluster:<\/span><\/span><span id=\"page811R_mcid14\" class=\"markedContent\"><br role=\"presentation\" \/><\/span><span id=\"page811R_mcid16\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\"><span id=\"page811R_mcid49\" class=\"markedContent\">certificate<\/span><span id=\"page811R_mcid50\" class=\"markedContent\">-<\/span><span id=\"page811R_mcid51\" class=\"markedContent\">authority<\/span><span id=\"page811R_mcid52\" class=\"markedContent\">-<\/span><span id=\"page811R_mcid53\" class=\"markedContent\">data:<\/span><\/span><\/span><span id=\"page811R_mcid64\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">LS0tLS1CRUdJTiBDRVJU<\/span><\/span><span id=\"page811R_mcid65\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">SUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJ<\/span><\/span><span id=\"page811R_mcid66\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">Q1dEQ0NBVUFDQVFBd0V6RVJNQThHQTFV<\/span><\/span><span id=\"page811R_mcid67\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">RUF3d0libVYzTFhWelpYSXdnZ0VpTUEw<\/span><\/span><span id=\"page811R_mcid68\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">R0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3<\/span><\/span><span id=\"page811R_mcid69\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">QXdnZ0VLQW9JQkFRRE8wV0pXK0RYc0FK<\/span><\/span><span id=\"page811R_mcid70\" class=\"markedContent\"><\/span><\/pre>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<p>this a summary of kubconfig<\/p>\n<p>cluster with namespaces are attached to Users into the context<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone  wp-image-235\" src=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/kubconfig.png\" alt=\"\" width=\"828\" height=\"374\" srcset=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/kubconfig.png 1180w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/kubconfig-300x136.png 300w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/kubconfig-1024x463.png 1024w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/kubconfig-768x347.png 768w\" sizes=\"(max-width: 828px) 100vw, 828px\" \/><\/p>\n<h2 id=\"API Groups\"><a title=\"Summary\" href=\"#Summary\">API Groups<\/a><\/h2>\n<p><span class=\"ILfuVd\" lang=\"en\"><span class=\"hgKElc\">API groups <b>make it easier to extend the Kubernetes API<\/b>. The API group is specified in a REST path and in the apiVersion field of a serialized object. There are several API groups in Kubernetes: The core (also called legacy) group is found at REST path \/api\/v1<\/span><\/span><\/p>\n<p>api groups are : \/metrics , \/healthz, \/version, \/api, \/apis, \/logs and you can call them by url : curl https:\/\/kube-master:6443\/api\/v1\/pods or curl https:\/\/kube-master:6443\/version<\/p>\n<p>we distinguish core (\/api) and named api groups (\/apis)<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone  wp-image-232\" src=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/coreapigroups.png\" alt=\"\" width=\"519\" height=\"388\" srcset=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/coreapigroups.png 677w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/coreapigroups-300x224.png 300w\" sizes=\"(max-width: 519px) 100vw, 519px\" \/> <img decoding=\"async\" loading=\"lazy\" class=\"alignnone  wp-image-233\" src=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/namedapigroups.png\" alt=\"\" width=\"732\" height=\"390\" srcset=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/namedapigroups.png 1188w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/namedapigroups-300x160.png 300w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/namedapigroups-1024x546.png 1024w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/namedapigroups-768x409.png 768w\" sizes=\"(max-width: 732px) 100vw, 732px\" \/><\/p>\n<blockquote>\n<pre>Get the hole apis by url via proxy : 'kubectl proxy' then open other tab in the same session and execute 'curl https:\/\/127.0.0.1:8001 -k '<\/pre>\n<\/blockquote>\n<p>there is a differenet between <strong>kube proxy<\/strong> and <strong>kubectl proxy<\/strong> (is a proxy created bu kube control to access to api server)<\/p>\n<h2 id=\"Authorization\"><a title=\"Summary\" href=\"#Summary\">Authorization<\/a><\/h2>\n<p>Authorization help us to deny for a developper to delete \u00e0 cluster or a node\u00a0 or to get logs production ...<\/p>\n<p>There is multiple mechanisme of authorization : Node, ABAC, RBAC and Webhook, also (AlwaysAllow : allow resuests and AlwaysDeny: Always deny requests)<\/p>\n<p>- Node : the user call api server and kublete also, Kublet call api server to get informations about services, endpoints, pods, ... and write opertaions like node status, pod status, events...<\/p>\n<p>so authorizations are used by certificates or token but also we can limit kublete to have minimal permission to remove or add<\/p>\n<p>- ABAC (Attribute-based access control): defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together<\/p>\n<p>for example, a dev user can view, create and delete pods but for a security user can view and approve CSR. by sending a json format file via api :<\/p>\n<blockquote>\n<pre tabindex=\"0\"><code class=\"language-json\" data-lang=\"json\">{\"apiVersion\": \"abac.authorization.kubernetes.io\/v1beta1\", \"kind\": \"Policy\", \"spec\": {\"user\": \"alice\", \"namespace\": \"*\", \"resource\": \"*\", \"apiGroup\": \"*\"}}<\/code><br \/><br \/>- RBAC (Role-based access control) : you create a role and you associate users to this role. for example role developer with view, create, delete asssociated to developpers users 1, 2 and 3.<br \/><br \/>- Webhook : for example there is an agent policy who allow or deny access, a dev-user-1 call api server to delete pod, the webhook requets agent delete access to pod, then the agent response with Yes or no.<br \/><br \/><br \/><span id=\"page1038R_mcid201\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">ExecStart<\/span><\/span><span id=\"page1038R_mcid202\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">=\/<\/span><\/span><span id=\"page1038R_mcid203\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">usr<\/span><\/span><span id=\"page1038R_mcid204\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/local\/bin\/<\/span><\/span><span id=\"page1038R_mcid205\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kube<\/span><\/span><span id=\"page1038R_mcid206\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid207\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiserver<\/span><\/span><span id=\"page1038R_mcid208\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid209\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid210\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid211\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">advertise<\/span><\/span><span id=\"page1038R_mcid212\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid213\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">address=${INTERNAL_IP}<\/span><\/span><span id=\"page1038R_mcid214\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid215\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid216\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid217\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">allow<\/span><\/span><span id=\"page1038R_mcid218\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid219\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">privileged=true<\/span><\/span><span id=\"page1038R_mcid220\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid221\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid222\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid223\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiserver<\/span><\/span><span id=\"page1038R_mcid224\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid225\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">count=3<\/span><\/span><span id=\"page1038R_mcid226\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid227\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid228\" class=\"markedContent\"><br role=\"presentation\" \/><strong><span dir=\"ltr\" role=\"presentation\">--<\/span><\/strong><\/span><strong><span id=\"page1038R_mcid229\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">authorization<\/span><\/span><span id=\"page1038R_mcid230\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid231\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">mode=<\/span><\/span><span id=\"page1038R_mcid232\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">Node,RBAC,Webhook<\/span><\/span><span id=\"page1038R_mcid233\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid234\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><\/strong><span id=\"page1038R_mcid235\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid236\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">bind<\/span><\/span><span id=\"page1038R_mcid237\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid238\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">address=0.0.0.0<\/span><\/span><span id=\"page1038R_mcid239\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid240\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid241\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid242\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">enable<\/span><\/span><span id=\"page1038R_mcid243\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid244\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">swagger<\/span><\/span><span id=\"page1038R_mcid245\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid246\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">ui<\/span><\/span><span id=\"page1038R_mcid247\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">=true<\/span><\/span><span id=\"page1038R_mcid248\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid249\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid250\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid251\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etcd<\/span><\/span><span id=\"page1038R_mcid252\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid253\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">cafile<\/span><\/span><span id=\"page1038R_mcid254\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">=\/var\/lib\/kubernetes\/<\/span><\/span><span id=\"page1038R_mcid255\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">ca.pem<\/span><\/span><span id=\"page1038R_mcid256\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid257\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid258\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid259\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etcd<\/span><\/span><span id=\"page1038R_mcid260\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid261\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">certfile<\/span><\/span><span id=\"page1038R_mcid262\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">=\/var\/lib\/<\/span><\/span><span id=\"page1038R_mcid263\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page1038R_mcid264\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/apiserver<\/span><\/span><span id=\"page1038R_mcid265\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid266\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etcd<\/span><\/span><span id=\"page1038R_mcid267\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid268\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">client.crt<\/span><\/span><span id=\"page1038R_mcid269\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid270\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid271\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid272\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etcd<\/span><\/span><span id=\"page1038R_mcid273\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid274\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">keyfile<\/span><\/span><span id=\"page1038R_mcid275\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">=\/var\/lib\/<\/span><\/span><span id=\"page1038R_mcid276\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page1038R_mcid277\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/<\/span><\/span><span id=\"page1038R_mcid278\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiserver<\/span><\/span><span id=\"page1038R_mcid279\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid280\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etcd<\/span><\/span><span id=\"page1038R_mcid281\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid282\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">client.key<\/span><\/span><span id=\"page1038R_mcid283\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid284\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid285\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid286\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etcd<\/span><\/span><span id=\"page1038R_mcid287\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid288\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">servers=https:\/\/127.0.0.1:2379<\/span><\/span><span id=\"page1038R_mcid289\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid290\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid291\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid292\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">event<\/span><\/span><span id=\"page1038R_mcid293\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid294\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">ttl<\/span><\/span><span id=\"page1038R_mcid295\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">=1h<\/span><\/span><span id=\"page1038R_mcid296\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid297\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid298\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid299\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubelet<\/span><\/span><span id=\"page1038R_mcid300\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid301\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">certificate<\/span><\/span><span id=\"page1038R_mcid302\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid303\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">authority=\/var\/lib\/<\/span><\/span><span id=\"page1038R_mcid304\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page1038R_mcid305\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/<\/span><\/span><span id=\"page1038R_mcid306\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">ca.pem<\/span><\/span><span id=\"page1038R_mcid307\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid308\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid309\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid310\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubelet<\/span><\/span><span id=\"page1038R_mcid311\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid312\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">client<\/span><\/span><span id=\"page1038R_mcid313\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid314\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">certificate=\/var\/lib\/<\/span><\/span><span id=\"page1038R_mcid315\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page1038R_mcid316\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/apiserver<\/span><\/span><span id=\"page1038R_mcid317\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid318\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etcd<\/span><\/span><span id=\"page1038R_mcid319\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid320\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">client.crt<\/span><\/span><span id=\"page1038R_mcid321\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid322\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid323\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid324\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubelet<\/span><\/span><span id=\"page1038R_mcid325\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid326\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">client<\/span><\/span><span id=\"page1038R_mcid327\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid328\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">key=\/var\/lib\/<\/span><\/span><span id=\"page1038R_mcid329\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page1038R_mcid330\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/<\/span><\/span><span id=\"page1038R_mcid331\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiserver<\/span><\/span><span id=\"page1038R_mcid332\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid333\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">etcd<\/span><\/span><span id=\"page1038R_mcid334\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid335\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">client.key<\/span><\/span><span id=\"page1038R_mcid336\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid337\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid338\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid339\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">service<\/span><\/span><span id=\"page1038R_mcid340\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid341\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">node<\/span><\/span><span id=\"page1038R_mcid342\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid343\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">port<\/span><\/span><span id=\"page1038R_mcid344\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid345\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">range=30000<\/span><\/span><span id=\"page1038R_mcid346\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid347\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">32767<\/span><\/span><span id=\"page1038R_mcid348\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid349\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid350\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid351\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">client<\/span><\/span><span id=\"page1038R_mcid352\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid353\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">ca<\/span><\/span><span id=\"page1038R_mcid354\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid355\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">file=\/var\/lib\/<\/span><\/span><span id=\"page1038R_mcid356\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page1038R_mcid357\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/<\/span><\/span><span id=\"page1038R_mcid358\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">ca.pem<\/span><\/span><span id=\"page1038R_mcid359\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid360\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid361\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid362\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">tls<\/span><\/span><span id=\"page1038R_mcid363\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid364\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">cert<\/span><\/span><span id=\"page1038R_mcid365\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid366\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">file=\/var\/lib\/<\/span><\/span><span id=\"page1038R_mcid367\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page1038R_mcid368\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/apiserver.crt<\/span><\/span><span id=\"page1038R_mcid369\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid370\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid371\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid372\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">tls<\/span><\/span><span id=\"page1038R_mcid373\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid374\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">private<\/span><\/span><span id=\"page1038R_mcid375\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid376\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">key<\/span><\/span><span id=\"page1038R_mcid377\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1038R_mcid378\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">file=\/var\/lib\/<\/span><\/span><span id=\"page1038R_mcid379\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">kubernetes<\/span><\/span><span id=\"page1038R_mcid380\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\/<\/span><\/span><span id=\"page1038R_mcid381\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiserver.key<\/span><\/span><span id=\"page1038R_mcid382\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid383\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\\<\/span><\/span><span id=\"page1038R_mcid384\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">--<\/span><\/span><span id=\"page1038R_mcid385\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">v=2<\/span><\/span><span id=\"page1038R_mcid386\" class=\"markedContent\"><\/span><span id=\"page1038R_mcid387\" class=\"markedContent\"><br role=\"presentation\" \/><\/span><\/pre>\n<\/blockquote>\n<div class=\"page\" role=\"region\" data-page-number=\"153\" aria-label=\"Page 153\" data-loaded=\"true\">\n<div class=\"annotationEditorLayer\" tabindex=\"0\" data-main-rotation=\"0\">\u00a0<\/div>\n<\/div>\n<div class=\"page\" role=\"region\" data-page-number=\"154\" aria-label=\"Page 154\" data-loaded=\"true\">\n<div class=\"canvasWrapper\">If there are more than one authorization mode, like Node, RBAC and Webhook, we request first Node then RBAC and then Webhook<\/div>\n<\/div>\n<h2 id=\"Role Based Access Controls (RBAC)\"><a title=\"Summary\" href=\"#Summary\">Role Based Access Controls (RBAC)<\/a><\/h2>\n<p>1- We create a role file developer-role.yaml :<\/p>\n<blockquote>\n<pre>kubectl create -f\u00a0 developer-role.yaml<\/pre>\n<pre><span id=\"page1058R_mcid17\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiVersion<\/span><\/span><span id=\"page1058R_mcid18\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page1058R_mcid19\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">rbac.authorization.k8s.io\/v1<\/span><\/span><span id=\"page1058R_mcid20\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">kind:<\/span><\/span><span id=\"page1058R_mcid21\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">Role<\/span><\/span><span id=\"page1058R_mcid22\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">metadata:<\/span><\/span><span id=\"page1058R_mcid23\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">name:<\/span><\/span><span id=\"page1058R_mcid24\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">developer<\/span><\/span><span id=\"page1058R_mcid25\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">rules:<\/span><\/span><span id=\"page1058R_mcid26\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1058R_mcid27\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiGroups<\/span><\/span><span id=\"page1058R_mcid28\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page1058R_mcid29\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">[<\/span><\/span><span id=\"page1058R_mcid30\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\"\"<\/span><\/span><span id=\"page1058R_mcid31\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">]<\/span><\/span><span id=\"page1058R_mcid32\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">resources:<\/span><\/span><span id=\"page1058R_mcid33\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">[<\/span><\/span><span id=\"page1058R_mcid34\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\"pods\"<\/span><\/span><span id=\"page1058R_mcid35\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">]<\/span><\/span><span id=\"page1058R_mcid36\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">verbs:<\/span><\/span><span id=\"page1058R_mcid37\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">[<\/span><\/span><span id=\"page1058R_mcid38\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\"list\u201c,<\/span><\/span><span id=\"page1058R_mcid39\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\"get\"<\/span><\/span><span id=\"page1058R_mcid40\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">,<\/span><\/span><span id=\"page1058R_mcid41\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\u201ccreate\u201c,<\/span> <span dir=\"ltr\" role=\"presentation\">\u201cupdate\u201c,<\/span> <span dir=\"ltr\" role=\"presentation\">\u201cde<\/span><\/span><span id=\"page1058R_mcid43\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">developer<\/span><\/span><span id=\"page1058R_mcid44\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1058R_mcid45\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">role.yaml<\/span><\/span><span id=\"page1058R_mcid47\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1058R_mcid48\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiGroups<\/span><\/span><span id=\"page1058R_mcid49\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page1058R_mcid50\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">[<\/span><\/span><span id=\"page1058R_mcid51\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\"\"<\/span><\/span><span id=\"page1058R_mcid52\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">]<\/span><\/span><span id=\"page1058R_mcid53\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">resources:<\/span><\/span><span id=\"page1058R_mcid54\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">[<\/span><\/span><span id=\"page1058R_mcid55\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\u201c<\/span><\/span><span id=\"page1058R_mcid56\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">ConfigMap<\/span><\/span><span id=\"page1058R_mcid57\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\"<\/span><\/span><span id=\"page1058R_mcid58\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">]<\/span><\/span><span id=\"page1058R_mcid59\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">verbs:<\/span><\/span><span id=\"page1058R_mcid60\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">[<\/span><\/span><span id=\"page1058R_mcid61\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\u201ccreate\u201c<\/span><\/span><span id=\"page1058R_mcid62\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">]<\/span><\/span><\/pre>\n<p>or with command :<\/p>\n<pre>kubectl create role developer --verb=list,create,delete --resources=pods<\/pre>\n<\/blockquote>\n<p>2- We create a binding role file to bind users with role :<\/p>\n<blockquote>\n<pre>kubectl create -f devuser-binding.yaml<\/pre>\n<pre><span id=\"page1058R_mcid64\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiVersion<\/span><\/span><span id=\"page1058R_mcid65\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page1058R_mcid66\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">rbac.authorization.k8s.io\/v1<\/span><\/span><span id=\"page1058R_mcid67\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">kind:<\/span><\/span><span id=\"page1058R_mcid68\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">RoleBinding<\/span><\/span><span id=\"page1058R_mcid69\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">metadata:<\/span><\/span><span id=\"page1058R_mcid70\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">name:<\/span><\/span><span id=\"page1058R_mcid71\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">devuser<\/span><\/span><span id=\"page1058R_mcid72\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1058R_mcid73\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">developer<\/span><\/span><span id=\"page1058R_mcid74\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1058R_mcid75\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">binding<\/span><\/span><span id=\"page1058R_mcid76\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">subjects:<\/span><\/span><span id=\"page1058R_mcid77\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1058R_mcid78\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">kind:<\/span><\/span><span id=\"page1058R_mcid79\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">User<\/span><\/span><span id=\"page1058R_mcid80\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">name:<\/span><\/span><span id=\"page1058R_mcid81\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">dev<\/span><\/span><span id=\"page1058R_mcid82\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1058R_mcid83\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">user<\/span><\/span><span id=\"page1058R_mcid84\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">apiGroup<\/span><\/span><span id=\"page1058R_mcid85\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page1058R_mcid86\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">rbac.authorization.k8s.io<\/span><\/span><span id=\"page1058R_mcid87\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">roleRef<\/span><\/span><span id=\"page1058R_mcid88\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page1058R_mcid89\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">kind:<\/span><\/span><span id=\"page1058R_mcid90\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">Role<\/span><\/span><span id=\"page1058R_mcid91\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">name:<\/span><\/span><span id=\"page1058R_mcid92\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">developer<\/span><\/span><span id=\"page1058R_mcid93\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">apiGroup<\/span><\/span><span id=\"page1058R_mcid94\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page1058R_mcid95\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">rbac.authorization.k8s.io<\/span><\/span><\/pre>\n<p>or with command :<\/p>\n<pre>kubectl create rolebinding --help<\/pre>\n<pre>kubectl create rolebinding dev-user-binding --role=developer --user=dev-user<\/pre>\n<\/blockquote>\n<p>3- Check creations<\/p>\n<blockquote>\n<pre>kubectl get roles<\/pre>\n<pre>kubectl get rolebindings<\/pre>\n<pre>kubectl describe role developer<\/pre>\n<pre>kubectl describe rolebinding dev-binding<\/pre>\n<p>4- check access<\/p>\n<pre>kubectl auth can-i create deployments\u00a0 ===&gt; yes<\/pre>\n<pre>kubectl auth can-i delete nodes\u00a0 ===&gt; no<\/pre>\n<\/blockquote>\n<pre> \u00a0\u00a0\u00a0 kubectl auth can-i create deployments --as\u00a0 dev-user --namespace test<\/pre>\n<p>4- explore environnements<\/p>\n<p>in \/etc\/kubernetes\/manifests\/api-server check authorization-mode attribut<\/p>\n<blockquote>\n<pre>or with command : ps -aux | grep authorization<\/pre>\n<pre>kubectl get roles -A --no-headers | wc -l<\/pre>\n<pre>kubectl describe role kube-proxy -n kube-system<\/pre>\n<\/blockquote>\n<p>know wich account is attached to a role :<\/p>\n<blockquote>\n<pre>kubectl describe rolebindings<\/pre>\n<pre>check user : kubectl --as dev-user get pod dark-blue-app -n blue<\/pre>\n<pre>kubectl edit role developer -n blue ==&gt; change or modify a role<\/pre>\n<\/blockquote>\n<p>give permission to user to create deployment<\/p>\n<p>into role file add apigroups \"apps\" and verbs create<\/p>\n<h2 id=\"Cluster Roles and Role Bindings\"><a title=\"Summary\" href=\"#Summary\">Cluster Roles and Role Bindings<\/a><\/h2>\n<p>There is namespace scope or objects like pods, replicasets ... and cluster scope<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone  wp-image-241\" src=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/scopecluster.png\" alt=\"\" width=\"737\" height=\"326\" srcset=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/scopecluster.png 1178w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/scopecluster-300x133.png 300w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/scopecluster-1024x453.png 1024w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/scopecluster-768x340.png 768w\" sizes=\"(max-width: 737px) 100vw, 737px\" \/><\/p>\n<p>in this section we are talking about Cluster coped. in reality is like namespaced scope role and bindingrole<\/p>\n<p>- Create cluster role file :<\/p>\n<blockquote>\n<pre><span id=\"page1131R_mcid78\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiVersion<\/span><\/span><span id=\"page1131R_mcid79\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page1131R_mcid80\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">rbac.authorization.k8s.io\/v1<\/span><\/span><span id=\"page1131R_mcid81\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">kind:<\/span><\/span><span id=\"page1131R_mcid82\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">ClusterRole<\/span><\/span><span id=\"page1131R_mcid83\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">metadata:<\/span><\/span><span id=\"page1131R_mcid84\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">name:<\/span><\/span><span id=\"page1131R_mcid85\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">cluster<\/span><\/span><span id=\"page1131R_mcid86\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1131R_mcid87\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">administrator<\/span><\/span><span id=\"page1131R_mcid88\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">rules:<\/span><\/span><span id=\"page1131R_mcid89\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1131R_mcid90\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">apiGroups<\/span><\/span><span id=\"page1131R_mcid91\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page1131R_mcid92\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">[<\/span><\/span><span id=\"page1131R_mcid93\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\"\"<\/span><\/span><span id=\"page1131R_mcid94\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">]<\/span><\/span><span id=\"page1131R_mcid95\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">resources:<\/span><\/span><span id=\"page1131R_mcid96\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">[<\/span><\/span><span id=\"page1131R_mcid97\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\u201cnodes\"<\/span><\/span><span id=\"page1131R_mcid98\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">]<\/span><\/span><span id=\"page1131R_mcid99\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">verbs:<\/span><\/span><span id=\"page1131R_mcid100\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">[<\/span><\/span><span id=\"page1131R_mcid101\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">\"list\u201c,<\/span><\/span><span id=\"page1131R_mcid102\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\"get\"<\/span><\/span><span id=\"page1131R_mcid103\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">,<\/span><\/span><span id=\"page1131R_mcid104\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">\u201ccreate\u201c,<\/span> <span dir=\"ltr\" role=\"presentation\">\u201cdelete\"<\/span><\/span><span id=\"page1131R_mcid105\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">]<\/span><\/span><\/pre>\n<\/blockquote>\n<p>- Create cluster binding role<\/p>\n<blockquote>\n<pre><span id=\"page1131R_mcid13\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">apiVersion<\/span><\/span><span id=\"page1131R_mcid14\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page1131R_mcid15\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">rbac.authorization.k8s.io\/v1<\/span><\/span><span id=\"page1131R_mcid16\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">kind:<\/span><\/span><span id=\"page1131R_mcid17\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">ClusterRoleBinding<\/span><\/span><span id=\"page1131R_mcid18\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">metadata:<\/span><\/span><span id=\"page1131R_mcid19\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">name:<\/span><\/span><span id=\"page1131R_mcid20\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">cluster<\/span><\/span><span id=\"page1131R_mcid21\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1131R_mcid22\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">admin<\/span><\/span><span id=\"page1131R_mcid23\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1131R_mcid24\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">role<\/span><\/span><span id=\"page1131R_mcid25\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1131R_mcid26\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">binding<\/span><\/span><span id=\"page1131R_mcid27\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">subjects:<\/span><\/span><span id=\"page1131R_mcid28\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1131R_mcid29\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">kind:<\/span><\/span><span id=\"page1131R_mcid30\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">User<\/span><\/span><span id=\"page1131R_mcid31\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">name:<\/span><\/span><span id=\"page1131R_mcid32\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">cluster<\/span><\/span><span id=\"page1131R_mcid33\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1131R_mcid34\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">admin<\/span><\/span><span id=\"page1131R_mcid35\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">apiGroup<\/span><\/span><span id=\"page1131R_mcid36\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page1131R_mcid37\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">rbac.authorization.k8s.io<\/span><\/span><span id=\"page1131R_mcid38\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">roleRef<\/span><\/span><span id=\"page1131R_mcid39\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page1131R_mcid40\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">kind:<\/span><\/span><span id=\"page1131R_mcid41\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">ClusterRole<\/span><\/span><span id=\"page1131R_mcid42\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">name:<\/span><\/span><span id=\"page1131R_mcid43\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">cluster<\/span><\/span><span id=\"page1131R_mcid44\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">-<\/span><\/span><span id=\"page1131R_mcid45\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">administrator<\/span><\/span><span id=\"page1131R_mcid46\" class=\"markedContent\"><br role=\"presentation\" \/><span dir=\"ltr\" role=\"presentation\">apiGroup<\/span><\/span><span id=\"page1131R_mcid47\" class=\"markedContent\"><span dir=\"ltr\" role=\"presentation\">:<\/span><\/span><span id=\"page1131R_mcid48\" class=\"markedContent\"> <span dir=\"ltr\" role=\"presentation\">rbac.authorization.k8s.io<\/span><\/span><\/pre>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<blockquote>\n<pre>kubectl create -f nameofclusterrolefile.yaml and also kubectl create -f nameoffileclusterbindingrole.yaml<\/pre>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<h2 id=\"Service Accounts\"><a title=\"Summary\" href=\"#Summary\">Service Accounts<\/a><\/h2>\n<p>There is user account and service account. Service account is ised by rebot. For example an app gets metrics from the api server, it connect to the api server by using a service account.<\/p>\n<p>Create a service account :<\/p>\n<blockquote>\n<pre>kubectl create serviceaccount dashboard-sa<\/pre>\n<\/blockquote>\n<p>creating service account, create a secret token automatically, you can see the token by this command :<\/p>\n<blockquote>\n<pre>kubectl get serviceaccount<\/pre>\n<pre>kubectl describe serviceaccount dashboard-sa ==&gt; in description you can see the name of the secret object of the token<\/pre>\n<pre>You can call the api with the token : curl https:\/\/192.168.56.70:6443\/api -insecure --header \"Authorization: Bearer ejdkfhjk...\"<\/pre>\n<\/blockquote>\n<p>You can also create a role for this user service and binding it then call the api with the token<\/p>\n<p>If a pod should use this token, add serviceAccountName : dashboard-sa in spec and in the same level of containers and add<\/p>\n<p>in the version 1.24 of kub, you should create yourself a token :<\/p>\n<blockquote>\n<pre>kubectl create serviceaccount dashboard-sa<\/pre>\n<pre>kubectl create token dashboard-sa<\/pre>\n<\/blockquote>\n<p>to edit the token :<\/p>\n<blockquote>\n<pre>jq -R 'split(\".\") | select(length &gt; 0) | .[0],.[1] | @base64d | fromjson' &lt;&lt;&lt;&lt; ejhfkkfjjf...<\/pre>\n<\/blockquote>\n<p>add ther token a secret object that you create :<\/p>\n<blockquote>\n<pre tabindex=\"0\"><code class=\"language-shell\" data-lang=\"shell\">kubectl apply -f - &lt;<\/code><\/pre>\n<\/blockquote>\n<h2 id=\"Image Security\"><a title=\"Summary\" href=\"#Summary\">Image Security<\/a><\/h2>\n<p>if you use public image, think to put the registry, the user account and the image repository =&gt; image : docker.io\/library\/nginx<\/p>\n<p>if you use a private repository, with docker you can access with the command : docker login private-registry.io and run a container with the image in the private registry =&gt; docker run private-registry.io\/apps\/internal-app<\/p>\n<p>In K8S :<\/p>\n<p>you should add the FQDN of the image : image : private-registry.io\/apps\/internal-app and the imagePullSecrets : name: regcred that you create bellow<\/p>\n<p>create a secret for you private registry :<\/p>\n<blockquote>\n<pre>kubectl create secret docker-registry regcred \\<br \/><br \/>--docker-server=private-registry.io<br \/><br \/>--docker-username=registry-user<br \/><br \/>--docker-password=registry-password<br \/><br \/>--docker-email=dfdfd@gmail.com<\/pre>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2 id=\"Security Contexts\"><a title=\"Summary\" href=\"#Summary\">Security Contexts<\/a><\/h2>\n<p>A security context defines privilege and access control settings for a Pod or Container. Security context settings include, but are not limited to:<\/p>\n<p>You can define a security context innto the pod (pod scope) or into the container (container scope)<\/p>\n<p>Security context solve problems bellow but not only :<\/p>\n<ul>\n<li>\n<p>Discretionary Access Control: Permission to access an object, like a file, is based on <a href=\"https:\/\/wiki.archlinux.org\/index.php\/users_and_groups\">user ID (UID) and group ID (GID)<\/a>.<\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/Security-Enhanced_Linux\">Security Enhanced Linux (SELinux)<\/a>: Objects are assigned security labels.<\/p>\n<\/li>\n<li>\n<p>Running as privileged or unprivileged.<\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/linux-audit.com\/linux-capabilities-hardening-linux-binaries-by-removing-setuid\/\">Linux Capabilities<\/a>: Give a process some privileges, but not all the privileges of the root user.<\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/kubernetes.io\/docs\/tutorials\/security\/apparmor\/\">AppArmor<\/a>: Use program profiles to restrict the capabilities of individual programs.<\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/kubernetes.io\/docs\/tutorials\/security\/seccomp\/\">Seccomp<\/a>: Filter a process's system calls.<\/p>\n<\/li>\n<li>\n<p><code>allowPrivilegeEscalation<\/code>: Controls whether a process can gain more privileges than its parent process. This bool directly controls whether the <a href=\"https:\/\/www.kernel.org\/doc\/Documentation\/prctl\/no_new_privs.txt\"><code>no_new_privs<\/code><\/a> flag gets set on the container process. <code>allowPrivilegeEscalation<\/code> is always true when the container:<\/p>\n<ul>\n<li>is run as privileged, or<\/li>\n<li>has <code>CAP_SYS_ADMIN<\/code><\/li>\n<\/ul>\n<\/li>\n<li>\n<p><code>readOnlyRootFilesystem<\/code>: Mounts the container's root filesystem as read-only.<\/p>\n<\/li>\n<\/ul>\n<h2 id=\"Network Policy\"><a title=\"Summary\" href=\"#Summary\">Network Policy<\/a><\/h2>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-256\" src=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/networkpolicy.png\" alt=\"\" width=\"571\" height=\"537\" srcset=\"https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/networkpolicy.png 571w, https:\/\/devopsopen.com\/wp-content\/uploads\/2023\/01\/networkpolicy-300x282.png 300w\" sizes=\"(max-width: 571px) 100vw, 571px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>In this example, the user call the ihm with port 80 ( ingress flow), then the server call the api with the port 5000(egress flow).<\/p>\n<p>for the Api,, it recieves request from the port 5000 (ingress) and call database with the port 3306 (egress)<\/p>\n<p>The database recieve the call from the port 3306 (ingress)<\/p>\n<p>to avoid that the user or the web server call directly database we use <strong>NetworkPolicy<\/strong> object.<\/p>\n<p>The <strong>Kubernetes Network Policy API<\/strong> supports the following features:<\/p>\n<ul>\n<li>Policies are namespace scoped<\/li>\n<li>Policies are applied to pods using label selectors<\/li>\n<li>Policy rules can specify the traffic that is allowed to\/from pods, namespaces, or CIDRs<\/li>\n<li>Policy rules can specify protocols (TCP, UDP, SCTP), named ports or port numbers<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<pre tabindex=\"0\"><code class=\"language-yaml\" data-lang=\"yaml\">apiVersion: networking.k8s.io\/v1\r\nkind: NetworkPolicy\r\nmetadata:\r\n  name: test-network-policy\r\n  namespace: default\r\nspec:\r\n  podSelector:\r\n    matchLabels:\r\n      role: db\r\n  policyTypes:\r\n    - Ingress\r\n    - Egress\r\n  ingress:\r\n    - from:\r\n        - ipBlock:\r\n            cidr: 172.17.0.0\/16\r\n            except:\r\n              - 172.17.1.0\/24\r\n        - namespaceSelector:\r\n            matchLabels:\r\n              project: myproject\r\n        - podSelector:\r\n            matchLabels:\r\n              role: frontend\r\n      ports:\r\n        - protocol: TCP\r\n          port: 6379\r\n  egress:\r\n    - to:\r\n        - ipBlock:\r\n            cidr: 10.0.0.0\/24\r\n      ports:\r\n        - protocol: TCP\r\n          port: 5978<\/code><\/pre>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>ATTENTION: ingress or egress object have service scope also and can add more details<\/p>\n<h2 id=\"Kubectx and Kubens command line utilities\"><a title=\"Summary\" href=\"#Summary\">Kubectx and Kubens command line utilities<\/a><\/h2>\n<p><strong>Kubens:<\/strong><\/p>\n<p>This tool allows users to switch between namespaces quickly with a simple command.<\/p>\n<p><strong>Installation:<\/strong><\/p>\n<div class=\"ud-component--base-components--code-block\">\n<div>\n<ol class=\"linenums\">\n<li class=\"L0\">\n<pre><span class=\"pln\">sudo git clone https<\/span><span class=\"pun\">:<\/span><span class=\"com\">\/\/github.com\/ahmetb\/kubectx \/opt\/kubectx<\/span><\/pre>\n<\/li>\n<li class=\"L1\">\n<pre><span class=\"pln\">sudo ln <\/span><span class=\"pun\">-<\/span><span class=\"pln\">s <\/span><span class=\"pun\">\/<\/span><span class=\"pln\">opt<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">kubectx<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">kubens <\/span><span class=\"pun\">\/<\/span><span class=\"pln\">usr<\/span><span class=\"pun\">\/<\/span><span class=\"kwd\">local<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">bin<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">kubens<\/span><\/pre>\n<\/li>\n<\/ol>\n<\/div>\n<\/div>\n<p><strong>Syntax:<\/strong><\/p>\n<p>To switch to a new namespace:<\/p>\n<blockquote>\n<pre>kubens <\/pre>\n<\/blockquote>\n<p>To switch back to previous namespace:<\/p>\n<blockquote>\n<pre>kubens -<\/pre>\n<\/blockquote>\n<p><strong>Kubectx:<\/strong><\/p>\n<p>Reference: <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/github.com\/ahmetb\/kubectx\">https:\/\/github.com\/ahmetb\/kubectx<\/a><\/p>\n<p>With this tool, you don't have to make use of lengthy \u201ckubectl config\u201d commands to switch between contexts. This tool is particularly useful to switch context between clusters in a multi-cluster environment.<\/p>\n<p><strong>Installation:<\/strong><\/p>\n<div class=\"ud-component--base-components--code-block\">\n<div>\n<ol class=\"linenums\">\n<li class=\"L0\">\n<pre><span class=\"pln\">sudo git clone https<\/span><span class=\"pun\">:<\/span><span class=\"com\">\/\/github.com\/ahmetb\/kubectx \/opt\/kubectx<\/span><\/pre>\n<\/li>\n<li class=\"L1\">\n<pre><span class=\"pln\">sudo ln <\/span><span class=\"pun\">-<\/span><span class=\"pln\">s <\/span><span class=\"pun\">\/<\/span><span class=\"pln\">opt<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">kubectx<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">kubectx <\/span><span class=\"pun\">\/<\/span><span class=\"pln\">usr<\/span><span class=\"pun\">\/<\/span><span class=\"kwd\">local<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">bin<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">kubectx<\/span><\/pre>\n<\/li>\n<\/ol>\n<\/div>\n<\/div>\n<p><strong>Syntax:<\/strong><\/p>\n<p>To list all contexts:<\/p>\n<blockquote>\n<pre>kubectx<\/pre>\n<\/blockquote>\n<p>To switch to a new context:<\/p>\n<blockquote>\n<pre>kubectx <\/pre>\n<\/blockquote>\n<p>To switch back to previous context:<\/p>\n<blockquote>\n<pre>kubectx -<\/pre>\n<\/blockquote>\n<p>To see current context:<\/p>\n<blockquote>\n<pre>kubectx -c<br \/><br \/><\/pre>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Security Summary Security Primitives Authentication and service Accounts TLS Basics and in Kubernetes Certificates API KubeConfig API Groups Authorization Role Based Access Controls (RBAC) Cluster Roles and Role Bindings Service Accounts Image Security Security Contexts Network Policy Kubectx and Kubens command line utilities Security Primitives &#8211; Disable passwords and active SSH in evry host &#8211; Who can access ? \u00a0\u00a0\u00a0 * Files &#8211; Username and Passwords\u00a0\u00a0\u00a0 * Fies &#8211; Username and token \u00a0\u00a0\u00a0\u00a0 * Certificates\u00a0\u00a0\u00a0 * External Authentication providers &#8211; LDAP \u00a0\u00a0\u00a0\u00a0\u00a0 * Service Accounts &#8211; What can they do? \u00a0\u00a0\u00a0 * RBAC Authorization\u00a0\u00a0\u00a0 * ABAC Authorization\u00a0\u00a0\u00a0 * Node Authorization\u00a0\u00a0\u00a0\u2026<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":""},"categories":[12],"tags":[],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[],"version":5}},"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false},"uagb_author_info":{"display_name":"admin","author_link":"https:\/\/devopsopen.com\/index.php\/author\/admin_bak\/"},"uagb_comment_info":1,"uagb_excerpt":"Security Summary Security Primitives Authentication and service Accounts TLS Basics and in Kubernetes Certificates API KubeConfig API Groups Authorization Role Based Access Controls (RBAC) Cluster Roles and Role Bindings Service Accounts Image Security Security Contexts Network Policy Kubectx and Kubens command line utilities Security Primitives - Disable passwords and active SSH in evry host -&hellip;","_links":{"self":[{"href":"https:\/\/devopsopen.com\/index.php\/wp-json\/wp\/v2\/posts\/175"}],"collection":[{"href":"https:\/\/devopsopen.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devopsopen.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devopsopen.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/devopsopen.com\/index.php\/wp-json\/wp\/v2\/comments?post=175"}],"version-history":[{"count":36,"href":"https:\/\/devopsopen.com\/index.php\/wp-json\/wp\/v2\/posts\/175\/revisions"}],"predecessor-version":[{"id":258,"href":"https:\/\/devopsopen.com\/index.php\/wp-json\/wp\/v2\/posts\/175\/revisions\/258"}],"wp:attachment":[{"href":"https:\/\/devopsopen.com\/index.php\/wp-json\/wp\/v2\/media?parent=175"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devopsopen.com\/index.php\/wp-json\/wp\/v2\/categories?post=175"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devopsopen.com\/index.php\/wp-json\/wp\/v2\/tags?post=175"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}