IT 잡지식/DevOps

[CKA] KodeKloud - Image Security

쯀리♥️ 2024. 7. 20. 12:54

안녕하세요, 쯀리입니다.

오늘은 Image Security에 관래 알아보겠습니다

https://kubernetes.io/docs/concepts/containers/images/

 

Images

A container image represents binary data that encapsulates an application and all its software dependencies. Container images are executable software bundles that can run standalone and that make very well defined assumptions about their runtime environmen

kubernetes.io

 


 

Image Security

 

Kubernetes에서 이미지 보안(Image Security)은 컨테이너 이미지를 안전하게 유지하고 실행하기 위해 중요한 다양한 기술과 모범 사례를 의미합니다. 이미지 보안은 주로 다음과 같은 영역으로 나눌 수 있습니다:

 

  • 이미지 서명 및 검증: Docker Content Trust와 같은 도구를 사용하여 이미지 서명 및 검증.
  • 이미지 스캔: Trivy, Clair, Anchore와 같은 도구를 사용하여 이미지 취약성 검사.
  • 이미지 풀 정책: 적절한 imagePullPolicy 설정.
  • 비공개 레지스트리 사용: Secret을 사용하여 비공개 레지스트리에 접근.
  • 최소 권한 원칙: PodSecurityPolicy를 사용하여 최소 권한 설정.
  • 네트워크 보안 및 정책: 네트워크 정책을 사용하여 파드 간 트래픽 제어.

 

 


Quiz.

1. What secret type must we choose for docker registry?

Kubernetes Docs

 

2. We have an application running on our cluster. Let us explore it first. What image is the application using?

root@controlplane ~ ➜  k get pods
NAME                  READY   STATUS    RESTARTS   AGE
web-758bd846c-bl27m   1/1     Running   0          22m
web-758bd846c-skq4m   1/1     Running   0          22m

root@controlplane ~ ✖ k describe deploy web
Name:                   web
Namespace:              default
CreationTimestamp:      Sat, 20 Jul 2024 02:58:43 +0000
Labels:                 app=web
Annotations:            deployment.kubernetes.io/revision: 1
Selector:               app=web
Replicas:               2 desired | 2 updated | 2 total | 2 available | 0 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:  app=web
  Containers:
   nginx:
    Image:         nginx:alpine
...

해당 Application은 Replica 2개로 설정되어있고 Image는 nginx:alpine 입니다.

 

3. We decided to use a modified version of the application from an internal private registry. Update the image of the deployment to use a new image from myprivateregistry.com:5000

The registry is located at myprivateregistry.com:5000. Don't worry about the credentials for now. We will configure them in the upcoming steps.

root@controlplane ➜ k edit deploy web
### Image 부분 변경
...
spec:
      containers:
        - image: myprivateregistry.com:5000/nginx:alpine
        imagePullPolicy: IfNotPresent
        name: nginx    
 ...
 
 root@controlplane /tmp ➜  k get pods
NAME                   READY   STATUS         RESTARTS   AGE
web-56d568f9f8-9kp88   0/1     ErrImagePull   0          4s
web-56d568f9f8-l5h8z   0/1     ErrImagePull   0          4s

 이미지는 변경이 되었는데 ImagePull에서 에러가발생했습니다. 

 

4. Are the new PODs created with the new images successfully running?
 이미지는 변경이 되었는데 ImagePull에서 에러가발생했습니다. 

5. Create a secret object with the credentials required to access the registry.

Name: private-reg-cred
Username: dock_user
Password: dock_password
Server: myprivateregistry.com:5000
Email: dock_user@myprivateregistry.com

Secret: private-reg-cred
Secret Type: docker-registry
Secret Data

 

kubectl create secret docker-registry private-reg-cred \
  --docker-server=myprivateregistry.com:5000 \
  --docker-username=dock_user \
  --docker-password=dock_password \
  --docker-email=dock_user@myprivateregistry.com

결과

root@controlplane ~ ➜  kubectl create secret docker-registry private-reg-cred \
  --docker-server=myprivateregistry.com:5000 \
  --docker-username=dock_user \
  --docker-password=dock_password \
  --docker-email=dock_user@myprivateregistry.com
secret/private-reg-cred created

root@controlplane ~ ➜  

root@controlplane ~ ➜  k get secret
NAME               TYPE                             DATA   AGE
private-reg-cred   kubernetes.io/dockerconfigjson   1      5s

root@controlplane ~ ➜  k describe secret private-reg-cred 
Name:         private-reg-cred
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/dockerconfigjson

Data
====
.dockerconfigjson:  176 bytes

 

6. Configure the deployment to use credentials from the new secret to pull images from the private registry.

root@controlplane ~ ✖ k edit deploy web
### 
..
 spec:
      containers:
      - image: myprivateregistry.com:5000/nginx:alpine
        imagePullPolicy: IfNotPresent
        name: nginx
        ...
      imagePullSecrets:
      - name: private-reg-cred

####

deployment.apps/web edited

 

7. Check the status of PODs. Wait for them to be running. You have now successfully configured a Deployment to pull images from the private registry.

root@controlplane ~ ➜  k get pods
NAME                  READY   STATUS    RESTARTS   AGE
web-ffd8c976c-2xjmr   1/1     Running   0          101s
web-ffd8c976c-l6njs   1/1     Running   0          102s

오늘은 Container Image를 가져오는 과정에서의 Security를 알아보았습니다. 

다음시간에는 Security Contexts에 관해 알아보겠습니다.

 


참조

 Udemy Labs - Certified Kubernetes Administrator with Practice Tests