본문 바로가기
IT 기술/k8s

[cka] Image Security

by Geunny 2024. 7. 28.
반응형

1. What secret type must we choose for docker registry?

root@controlplane ~ ➜  k create secret --help
Create a secret with specified type.

 A docker-registry type secret is for accessing a container registry.

 A generic type secret indicate an Opaque secret type.

 A tls type secret holds TLS certificate and its associated key.

Available Commands:
  docker-registry   Create a secret for use with a Docker registry
  generic           Create a secret from a local file, directory, or literal
value
  tls               Create a TLS secret

Usage:
  kubectl create secret (docker-registry | generic | tls) [options]

Use "kubectl create secret <command> --help" for more information about a given
command.
Use "kubectl options" for a list of global command-line options (applies to all
commands).

 

answer : docker-registry

 

2. We have an application running on our cluster. Let us explore it first. What image is the application using?

root@controlplane ~ ➜  k get pods
NAME                  READY   STATUS    RESTARTS   AGE
web-758bd846c-hbvrt   1/1     Running   0          101s
web-758bd846c-vwrrs   1/1     Running   0          101s

root@controlplane ~ ➜  k describe pod web-758bd846c-hbvrt
Name:             web-758bd846c-hbvrt
Namespace:        default
Priority:         0
Service Account:  default
...
    Container ID:   containerd://f5ea0bf54339cc0af6c66d51ed5bbd6619e46b39d9bccfe0b41773f8c045ba93
    Image:          nginx:alpine

 

answer : nginx:alpine

 

3. We decided to use a modified version of the application from an internal private registry. Update the image of the deployment to use a new image from myprivateregistry.com:5000 The registry is located at myprivateregistry.com:5000. Don't worry about the credentials for now. We will configure them in the upcoming steps.

 

 k edit deployments.apps 
 
 ...
 spec:
  progressDeadlineSeconds: 600
  replicas: 2
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: web
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: web
    spec:
      containers:
      - image: nginx:alpine ## -> myprivateregistry.com:5000/nginx:alpine

 

4. Are the new PODs created with the new images successfully running?

root@controlplane ~ ➜  k get pods
NAME                   READY   STATUS             RESTARTS   AGE
web-56d568f9f8-xn5q5   0/1     ImagePullBackOff   0          2m9s
web-758bd846c-hbvrt    1/1     Running            0          7m11s
web-758bd846c-vwrrs    1/1     Running            0          7m11s

 

answer : NO

 

5. Create a secret object with the credentials required to access the registry.

 Name: private-reg-cred 
 Username: dock_user 
 Password: dock_password 
 Server: myprivateregistry.com:5000 
 Email: dock_user@myprivateregistry.com
 
 root@controlplane ~ ➜ kubectl create secret docker-registry private-reg-cred \
 --docker-username=dock_user --docker-password=dock_password \
 --docker-server=myprivateregistry.com:5000 \
 --docker-email=dock_user@myprivateregistry.com
 secret/private-reg-cred created

 

6.  Configure the deployment to use credentials from the new secret to pull images from the private registry

 

https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod

 

Images

A container image represents binary data that encapsulates an application and all its software dependencies. Container images are executable software bundles that can run standalone and that make very well defined assumptions about their runtime environmen

kubernetes.io

 

root@controlplane ~ ➜  k edit deployments.apps web
deployment.apps/web edited

....
    spec:
      containers:
      - image: myprivateregistry.com:5000/nginx:alpine
        imagePullPolicy: IfNotPresent
        name: nginx
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      imagePullSecrets:         ## 추가. name private-reg-cred
      - name: private-reg-cred

 

 

7. Check the status of PODs. Wait for them to be running. You have now successfully configured a Deployment to pull images from the private registry.

 

root@controlplane ~ ➜  k get pods
NAME                  READY   STATUS    RESTARTS   AGE
web-ffd8c976c-8vd84   1/1     Running   0          88s
web-ffd8c976c-st4g8   1/1     Running   0          89s

'IT 기술 > k8s' 카테고리의 다른 글

[cka] Network Policies  (0) 2024.07.28
[cka] Security Contexts  (0) 2024.07.28
[cka] Service Accounts  (0) 2024.07.28
[cka] Cluster Roles  (0) 2024.07.28
[cka] Role Based Access Controls  (0) 2024.07.19

댓글