안녕하세요, 쯀리입니다.
오늘은 Image Security에 관래 알아보겠습니다
https://kubernetes.io/docs/concepts/containers/images/
Image Security
Kubernetes에서 이미지 보안(Image Security)은 컨테이너 이미지를 안전하게 유지하고 실행하기 위해 중요한 다양한 기술과 모범 사례를 의미합니다. 이미지 보안은 주로 다음과 같은 영역으로 나눌 수 있습니다:
- 이미지 서명 및 검증: Docker Content Trust와 같은 도구를 사용하여 이미지 서명 및 검증.
- 이미지 스캔: Trivy, Clair, Anchore와 같은 도구를 사용하여 이미지 취약성 검사.
- 이미지 풀 정책: 적절한 imagePullPolicy 설정.
- 비공개 레지스트리 사용: Secret을 사용하여 비공개 레지스트리에 접근.
- 최소 권한 원칙: PodSecurityPolicy를 사용하여 최소 권한 설정.
- 네트워크 보안 및 정책: 네트워크 정책을 사용하여 파드 간 트래픽 제어.
Quiz.
1. What secret type must we choose for docker registry?
2. We have an application running on our cluster. Let us explore it first. What image is the application using?
root@controlplane ~ ➜ k get pods
NAME READY STATUS RESTARTS AGE
web-758bd846c-bl27m 1/1 Running 0 22m
web-758bd846c-skq4m 1/1 Running 0 22m
root@controlplane ~ ✖ k describe deploy web
Name: web
Namespace: default
CreationTimestamp: Sat, 20 Jul 2024 02:58:43 +0000
Labels: app=web
Annotations: deployment.kubernetes.io/revision: 1
Selector: app=web
Replicas: 2 desired | 2 updated | 2 total | 2 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 25% max unavailable, 25% max surge
Pod Template:
Labels: app=web
Containers:
nginx:
Image: nginx:alpine
...
해당 Application은 Replica 2개로 설정되어있고 Image는 nginx:alpine 입니다.
3. We decided to use a modified version of the application from an internal private registry. Update the image of the deployment to use a new image from myprivateregistry.com:5000
The registry is located at myprivateregistry.com:5000. Don't worry about the credentials for now. We will configure them in the upcoming steps.
root@controlplane ➜ k edit deploy web
### Image 부분 변경
...
spec:
containers:
- image: myprivateregistry.com:5000/nginx:alpine
imagePullPolicy: IfNotPresent
name: nginx
...
root@controlplane /tmp ➜ k get pods
NAME READY STATUS RESTARTS AGE
web-56d568f9f8-9kp88 0/1 ErrImagePull 0 4s
web-56d568f9f8-l5h8z 0/1 ErrImagePull 0 4s
이미지는 변경이 되었는데 ImagePull에서 에러가발생했습니다.
4. Are the new PODs created with the new images successfully running?
이미지는 변경이 되었는데 ImagePull에서 에러가발생했습니다.
5. Create a secret object with the credentials required to access the registry.
Name: private-reg-cred
Username: dock_user
Password: dock_password
Server: myprivateregistry.com:5000
Email: dock_user@myprivateregistry.com
Secret: private-reg-cred
Secret Type: docker-registry
Secret Data
kubectl create secret docker-registry private-reg-cred \
--docker-server=myprivateregistry.com:5000 \
--docker-username=dock_user \
--docker-password=dock_password \
--docker-email=dock_user@myprivateregistry.com
결과
root@controlplane ~ ➜ kubectl create secret docker-registry private-reg-cred \
--docker-server=myprivateregistry.com:5000 \
--docker-username=dock_user \
--docker-password=dock_password \
--docker-email=dock_user@myprivateregistry.com
secret/private-reg-cred created
root@controlplane ~ ➜
root@controlplane ~ ➜ k get secret
NAME TYPE DATA AGE
private-reg-cred kubernetes.io/dockerconfigjson 1 5s
root@controlplane ~ ➜ k describe secret private-reg-cred
Name: private-reg-cred
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 176 bytes
6. Configure the deployment to use credentials from the new secret to pull images from the private registry.
root@controlplane ~ ✖ k edit deploy web
###
..
spec:
containers:
- image: myprivateregistry.com:5000/nginx:alpine
imagePullPolicy: IfNotPresent
name: nginx
...
imagePullSecrets:
- name: private-reg-cred
####
deployment.apps/web edited
7. Check the status of PODs. Wait for them to be running. You have now successfully configured a Deployment to pull images from the private registry.
root@controlplane ~ ➜ k get pods
NAME READY STATUS RESTARTS AGE
web-ffd8c976c-2xjmr 1/1 Running 0 101s
web-ffd8c976c-l6njs 1/1 Running 0 102s
오늘은 Container Image를 가져오는 과정에서의 Security를 알아보았습니다.
다음시간에는 Security Contexts에 관해 알아보겠습니다.
참조
※ Udemy Labs - Certified Kubernetes Administrator with Practice Tests
'IT 잡지식 > DevOps' 카테고리의 다른 글
[CKA] KodeKloud - Network Policy (0) | 2024.07.28 |
---|---|
[CKA] KodeKloud - Security Contexts (0) | 2024.07.24 |
[CKA] KodeKloud - Service Account (0) | 2024.07.20 |
[CKA] KodeKloud - Cluster Roles (0) | 2024.07.20 |
[CKA] KodeKloud -Role Based Access Controls (0) | 2024.07.19 |