IT 잡지식/DevOps

[CKA] KodeKloud - Security Contexts

쯀리♥️ 2024. 7. 24. 23:14

 

 

안녕하세요, 쯀리입니다.

오늘은 Security Contexts에 관해 알아보겠습니다. 

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

 

Configure a Security Context for a Pod or Container

A security context defines privilege and access control settings for a Pod or Container. Security context settings include, but are not limited to: Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and gro

kubernetes.io

 


 

Security Contexts란?

Security Contexts는 파드(Pod) 및 컨테이너(Container)의 보안 설정을 관리하는 데 중요한 역할을 합니다. Security Contexts를 통해 특정 권한과 보안 속성을 지정할 수 있습니다. 이 속성들은 주로 사용자의 권한을 제한하거나 강화하고, 파일 시스템 권한을 설정하며, 네트워크 및 프로세스 관련 설정을 제어합니다.

 

Security Contexts의 중요성

  1. 권한 제한: 최소 권한 원칙(Principle of Least Privilege)을 준수하여 애플리케이션이 필요한 최소한의 권한으로 실행되도록 합니다.
  2. 보안 강제: SELinux, AppArmor, seccomp 등의 보안 도구와 통합하여 보안을 강화할 수 있습니다.
  3. 컴플라이언스: 조직의 보안 정책 및 규제 준수를 보장합니다.
  4. 위협 감소: 특권 에스컬레이션 및 루트 사용으로 인한 보안 위험을 줄입니다.

Quiz.

1. What is the user used to execute the sleep process within the ubuntu-sleeper pod?

controlplane ~ ➜  k get pods
NAME             READY   STATUS    RESTARTS   AGE
ubuntu-sleeper   1/1     Running   0          2m12s

controlplane ~ ✖ k exec -it ubuntu-sleeper -- whoami
root

 

2. Edit the pod ubuntu-sleeper to run the sleep process with user ID 1010.
Note: Only make the necessary changes. Do not modify the name or image of the pod.

controlplane ~ ➜  k edit pod ubuntu-sleeper 
error: pods "ubuntu-sleeper" is invalid
A copy of your changes has been stored to "/tmp/kubectl-edit-2912883495.yaml"

### 
spec:
  securityContext:
   runAsUser: 1010
  containers:
  - command:
    - sleep
    - "4800"
    image: ubuntu
    imagePullPolicy: Always
    name: ubuntu
    resources: {}
...
####

### user변경된 파드 실행
controlplane ~ ✖ k delete po ubuntu-sleeper 
pod "ubuntu-sleeper" deleted

controlplane ~ ➜  k apply -f /tmp/kubectl-edit-2912883495.yaml 
pod/ubuntu-sleeper created


## 확인
controlplane ~ ➜  k exec -it ubuntu-sleeper -- whoami
whoami: cannot find name for user ID 1010
command terminated with exit code 1

 

3. A Pod definition file named multi-pod.yaml is given. With what user are the processes in the web container started?
The pod is created with multiple containers and security contexts defined at the Pod and Container level.

controlplane ~ ➜  cat multi-pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: multi-pod
spec:
  securityContext:
    runAsUser: 1001
  containers:
  -  image: ubuntu
     name: web
     command: ["sleep", "5000"]
     securityContext:
      runAsUser: 1002

  -  image: ubuntu
     name: sidecar
     command: ["sleep", "5000"]


Web Container의 User는 1002입니다. 

  -  image: ubuntu
     name: web
     command: ["sleep", "5000"]
     securityContext:
      runAsUser: 1002

 

4. With what user are the processes in the sidecar container started?
The pod is created with multiple containers and security contexts defined at the Pod and Container level.

따로 정해진 User가 없다면 default값으로 정해진 User로 설정됩니다.

  securityContext:
    runAsUser: 1001

 

5. Update pod ubuntu-sleeper to run as Root user and with the SYS_TIME capability.
Note: Only make the necessary changes. Do not modify the name of the pod.

Pod Name: ubuntu-sleeper
Image Name: ubuntu
SecurityContext: Capability SYS_TIME
Is run as a root user?
controlplane ~ ➜  k apply -f ubuntu-sleeper.yaml 
pod/ubuntu-sleeper created
###
---
apiVersion: v1
kind: Pod
metadata:
  name: ubuntu-sleeper
  namespace: default
spec:
  containers:
  - command:
    - sleep
    - "4800"
    image: ubuntu
    name: ubuntu-sleeper
    securityContext:
      capabilities:
        add: ["SYS_TIME"]
 ###


controlplane ~ ➜  k get pods
NAME             READY   STATUS    RESTARTS   AGE
ubuntu-sleeper   1/1     Running   0          4s

controlplane ~ ➜  k exec -it ubuntu-sleeper -- whoami
root

controlplane ~ ✖ k exec -it ubuntu-sleeper -- /bin/bash
root@ubuntu-sleeper:/# cd /proc/1 
root@ubuntu-sleeper:/proc/1# cat status
...
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000000000
SigCgt: 0000000000000000
CapInh: 0000000000000000
CapPrm: 00000000aa0425fb
CapEff: 00000000aa0425fb
CapBnd: 00000000aa0425fb
CapAmb: 0000000000000000
...
## bit35로 CAP_SYS_TIME라는 뜻
00000000aa0435fb

 

6.  Now update the pod to also make use of the NET_ADMIN capability.
Note: Only make the necessary changes. Do not modify the name of the pod.

SecurityContext: Capability SYS_TIME
SecurityContext: Capability NET_ADMIN
---
apiVersion: v1
kind: Pod
metadata:
  name: ubuntu-sleeper
  namespace: default
spec:
  containers:
  - command:
    - sleep
    - "4800"
    image: ubuntu
    name: ubuntu-sleeper
    securityContext:
      capabilities:
        add: ["NET_ADMIN", "SYS_TIME"]

 


오늘은 간단하게 security context 에 대해 알아보았는데요.

security context는 파드 또는 컨테이너에 대한 권한 및 접근 제어 설정을 정의합니다.

다음시간에는 Network Policy에 관해 알아보겠습니다. 

 

 

 


참조

 Udemy Labs - Certified Kubernetes Administrator with Practice Tests