티스토리 뷰
이 글은 udemy의 <Certified Kubernetes Administrator (CKA) with Practice Tests > 강의를 들으며 자격증 공부 목적으로 내용을 정리한 글입니다.
https://www.udemy.com/course/certified-kubernetes-administrator-with-practice-tests
Certified Kubernetes Administrator (CKA) Practice Exam Tests
Prepare for the Certified Kubernetes Administrators Certification with live practice tests right in your browser - CKA
www.udemy.com
[Security Primitives]
Who can access the cluster | Authentication | -Files - Username and Passwords -Files - Username and Tokens -Certificates -External Authentication providers - LDAP -Service Accounts |
What can they do | Authorization | -RBAC Authorization -ABAC Authorization -Node Authorization -Webhook mode |
-All communication with the cluster, between the various components such as the ETCD cluster, kube controller
manager, scheduler, api server, as well as those running on the worker nodes such as the kubelet and kubeproxy is secured using TLS Encryption.
-By default all PODs can access all other PODs within the cluster. You can restrict access between them using Network Policies.
[Autehntication]
-Our focus is on users access to the cognitive cluster for administrative purposes.
-So we are left with two types of users, humans such as the administrators and developers and robots
-all user access is managed by the API server
-The Cube API server authenticates the request before processing it.
□So how does the API server authenticate?
-You can have
1)a list of usernames and passwords in a static password file
2)usernames and tokens in a static token file
3)you can authenticate using certificates.
4)to connect to third party authentication protocols like that Kerberos, etc..
< static password file>
user-details.csv
-you can create a list of users and their passwords in a case file and use that as the source for user information
#kube-apiserver
#/etc/kubernetes/manifest/kube-apiserver.yaml
--basic-auth-file=user-details.csv
-you must specify this option, you must then restart the Cuban server for these options to take effect.
-If you set up your cluster using the kubeadm tool, then you must modify the kube-apiserver pod definition
file.
[TLS]
-A certificate is used to guarantee trust between two parties during a transaction.
For example, when a user tries to access a web server, TLS certificates ensure that the communication
between the user and the server is encrypted and the server is who it says it is.
-So you must encrypt the data being transferred using encryption keys the data is encrypted using a key
which is basically a set of random numbers and alphabets
-However the same is the case with the server receiving the data it cannot decrypt that data without
the key.
-So a copy of the key must also be sent to the server so that the server can decrypt and read the message
since the key is also sent over the same network.
-The attacker can sniff that as well and decrypt that data with it.
-This is known as SYMMETRIC ENCRYPTION.
□ASYMMETRIC ENCRYPTION
-Instead of using a single key to encrypt and decrypt data asymmetric encryption uses a pair of keys
a private key and a public key
'Reflection' 카테고리의 다른 글
CKA 자격증 후기 (2021.10.04) 합격 (0) | 2021.10.05 |
---|---|
cka08 storage 정리한 것 (0) | 2021.09.27 |
cka06 cluster maintenance 정리한 것 (0) | 2021.09.24 |
cka05 lifecycle management 정리한 것 (0) | 2021.09.18 |
cka04 Logging&Monitoring 정리한 것 (0) | 2021.09.18 |