SECURITY in K8s - pracip96/K8s-Learning GitHub Wiki

SECURITY PRIMITIVES

Secure the Host where K8 Cluster RUNS on

KUBE-API-SERVER

Who can Access? Defined by Authentication mechanisms.

image

What can they do? RBAC Authorization

TLS Certification

image

Different people interact with the K8 cluster

Admins, Developers, Application Endusers & Bots

AUTHENTICATION By Kube-Api server is done by:

  • Static Password file
  • Static Token file
  • Certificate
  • Identity svc

STATIC PASSWORD FILE

Pass the contents as password, username & userid in .csv file format. Then pass the below --basic-auth-file=<file.csv> to the kubeapiserver.service and then restart server

If we provision cluster with kubeadmin tool, then modify the kubeapiserver pod definition file

image

STATIC TOKEN FILE

Pass the token, user, userid, groupid , pass this to kubeapi service and restart.

image

TLS CERTIFICATE

A certificate is used to gurantee trust b/w two parties during txn. W/o TLS cert, the hacker can easily interpret messages of the txn We must encrypt the data being transferred, using encryption keys. Data is encrypted using a key, this is sent along with the data. now, data at recever end, will need to decode, server needs key to de-crypt this, this is also sent via internet, hacker sniffs this, this is known as SYMMETRIC ENCRYPTION

ASYMMETRIC ENCRYPTION

Uses a pair of keys, private & public key.

ssh-keygen, generates two files, id_rsa and id_rsa.pub

Then, secure server with the LOCK i.e., public key by cat ~/.ssh/authorized_keys

We secure transfer the symmetric key over internet with ASYMMETRIC Encryption

openssl genrsa -out my-bank.key 1024, this generates a private and public key

image

When user first access data from web server, using https, he gets the public key from the server. Since hacker sniffs th traffic, he will get the traffic public key.

Users browser then encrypts the symmetric key using pub key provided by server. User sends this to the server. hacker also get this copy. server uses private key to decrypt the message and retrive the symmetric key from it, however does not have this private key to decrypt and get the symmetric key

CA We generate a CSR, using the public key and domain name.

image

CA Authorities, verifies the details, they sign and send it back

How to determine if CA is legitimate? CAs have pub and private keys. They sign the cert usin the private key, pub key of cas is in browser, browser using this pub key to validate the cert was signed by ca

TO ENCRYPT MESSAGES, WE USE ASYMMETRIC ENCRYPTION WITH A PAIR OF PUB AND PRI KEY ADMIN USES PAIR OF KEY SECURE SSH CONNECTIVITY TO THE SERVER

SERVER SENDS CSR TO CA, CA USES PRIV EY TO SIGN CSR, SIGNED CERT IS SENT BACK TO THE SERVER AND SERVER CONFIGURES THE WEB APP, WHENEVER USER ACCESS THE WEB APP, SERVER FIRST SENDS CERT WITH ITS PUB KEY, USER BROWSER READS CERT AND USES CA PUB KEY TO VALIDATE & RETRIEVE THE SERVER PUB KEY AND GENERATES A SYMM KEY IT USES FOR COMM. SYMM KEY IS ECRYPTED USING SERVER PUB KEY AND SENT TO SERVER, SERVER USES ITS PRI KEY TO DECREPYT THE MESSGAE AND RETRIVE THE SYMM KEY

AN ADMIN USES PAIR OF KEYS TO SECURE CONNECTIVITY TO THE SERVER SERVER USES PAIR OF KEY TO SECURE HTTPS TRAFFIC

⚠️ **GitHub.com Fallback** ⚠️