Kubernetes CKS【23】---Runtime Security - Auditing
2024-05-07 08:50:04
文章目录
- 1. 介绍
- 2. Apiserver启用“Audit Logging”
- 3. 创建Secret 审查 Audit Logs
- 4. 创建高级审计(Audit)策略
- 5. 审查API access 历史
1. 介绍
audit logs introduction
2. Apiserver启用“Audit Logging”
官方链接:
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
root@master:/etc/kubernetes/manifests# mkdir /etc/kubernetes/auditing
root@master:/etc/kubernetes/manifests# mkidr /etc/kubernetes/audit/logs
root@master:/etc/kubernetes/manifests# cat /etc/kubernetes/audit/policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadataroot@master:/etc/kubernetes/manifests# cat kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:annotations:kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.211.40:6443creationTimestamp: nulllabels:component: kube-apiservertier: control-planename: kube-apiservernamespace: kube-system
spec:containers:- command:- kube-apiserver- --audit-policy-file=/etc/kubernetes/audit/policy.yaml # add- --audit-log-path=/etc/kubernetes/audit/logs/audit.log # add- --audit-log-maxsize=500 # add- --audit-log-maxbackup=5 - --advertise-address=192.168.211.40- --allow-privileged=true- --authorization-mode=Node,RBAC- --client-ca-file=/etc/kubernetes/pki/ca.crt- --enable-admission-plugins=NodeRestriction- --enable-bootstrap-token-auth=true- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key- --etcd-servers=https://127.0.0.1:2379- --insecure-port=0- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key- --requestheader-allowed-names=front-proxy-client- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt- --requestheader-extra-headers-prefix=X-Remote-Extra-- --requestheader-group-headers=X-Remote-Group- --requestheader-username-headers=X-Remote-User- --secure-port=6443- --service-account-issuer=https://kubernetes.default.svc.cluster.local- --service-account-key-file=/etc/kubernetes/pki/sa.pub- --service-account-signing-key-file=/etc/kubernetes/pki/sa.key- --service-cluster-ip-range=10.96.0.0/12- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt- --tls-private-key-file=/etc/kubernetes/pki/apiserver.keyimage: k8s.gcr.io/kube-apiserver:v1.20.7imagePullPolicy: IfNotPresentlivenessProbe:failureThreshold: 8httpGet:host: 192.168.211.40path: /livezport: 6443scheme: HTTPSinitialDelaySeconds: 10periodSeconds: 10timeoutSeconds: 15name: kube-apiserverreadinessProbe:failureThreshold: 3httpGet:host: 192.168.211.40path: /readyzport: 6443scheme: HTTPSperiodSeconds: 1timeoutSeconds: 15resources:requests:cpu: 250mstartupProbe:failureThreshold: 24httpGet:host: 192.168.211.40path: /livezport: 6443scheme: HTTPSinitialDelaySeconds: 10periodSeconds: 10timeoutSeconds: 15volumeMounts:- mountPath: /etc/ssl/certsname: ca-certsreadOnly: true- mountPath: /etc/ca-certificatesname: etc-ca-certificatesreadOnly: true- mountPath: /etc/kubernetes/pkiname: k8s-certsreadOnly: true- mountPath: /usr/local/share/ca-certificatesname: usr-local-share-ca-certificatesreadOnly: true- mountPath: /usr/share/ca-certificatesname: usr-share-ca-certificatesreadOnly: true- mountPath: /etc/kubernetes/audit # addname: audit # addhostNetwork: truepriorityClassName: system-node-criticalvolumes:- hostPath: # addpath: /etc/kubernetes/audit # addtype: DirectoryOrCreate # addname: audit # add- hostPath:path: /etc/ssl/certstype: DirectoryOrCreatename: ca-certs- hostPath:path: /etc/ca-certificatestype: DirectoryOrCreatename: etc-ca-certificates- hostPath:path: /etc/kubernetes/pkitype: DirectoryOrCreatename: k8s-certs- hostPath:path: /usr/local/share/ca-certificatestype: DirectoryOrCreatename: usr-local-share-ca-certificates- hostPath:path: /usr/share/ca-certificatestype: DirectoryOrCreatename: usr-share-ca-certificates
status: {}root@master:/etc/kubernetes/manifests# k get pods -n kube-system |grep api
kube-apiserver-master 1/1 Running 3 5mroot@master:/etc/kubernetes/manifests# tail /etc/kubernetes/audit/logs/audit.log
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"3ea2f430-108b-4b17-b967-6e26619fda99","stage":"RequestReceived","requestURI":"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-controller-manager?timeout=10s","verb":"update","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["192.168.211.40"],"userAgent":"kube-controller-manager/v1.20.7 (linux/amd64) kubernetes/132a687/leader-election","objectRef":{"resource":"leases","namespace":"kube-system","name":"kube-controller-manager","apiGroup":"coordination.k8s.io","apiVersion":"v1"},"requestReceivedTimestamp":"2021-05-24T08:28:50.431353Z","stageTimestamp":"2021-05-24T08:28:50.431353Z"}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"f6a3fc3b-96eb-4e2e-9ba2-66d2e345fb8a","stage":"RequestReceived","requestURI":"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler?timeout=10s","verb":"update","user":{"username":"system:kube-scheduler","groups":["system:authenticated"]},"sourceIPs":["192.168.211.40"],"userAgent":"kube-scheduler/v1.20.7 (linux/amd64) kubernetes/132a687/leader-election","objectRef":{"resource":"leases","namespace":"kube-system","name":"kube-scheduler","apiGroup":"coordination.k8s.io","apiVersion":"v1"},"requestReceivedTimestamp":"2021-05-24T08:28:50.435266Z","stageTimestamp":"2021-05-24T08:28:50.435266Z"}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"3ea2f430-108b-4b17-b967-6e26619fda99","stage":"ResponseComplete","requestURI":"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-controller-manager?timeout=10s","verb":"update","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["192.168.211.40"],"userAgent":"kube-controller-manager/v1.20.7 (linux/amd64) kubernetes/132a687/leader-election","objectRef":{"resource":"leases","namespace":"kube-system","name":"kube-controller-manager","uid":"bcb35dd3-5cb0-4460-99af-dcedb37a6bfa","apiGroup":"coordination.k8s.io","apiVersion":"v1","resourceVersion":"30280"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-05-24T08:28:50.431353Z","stageTimestamp":"2021-05-24T08:28:50.438912Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}3. 创建Secret 审查 Audit Logs
root@master:/etc/kubernetes/manifests# k create secret generic very-secure --from-literal=user=admin
secret/very-secure created
root@master:/etc/kubernetes/manifests# cat /etc/kubernetes/audit/logs/audit.log |grep very-secure | jq .
{"kind": "Event","apiVersion": "audit.k8s.io/v1","level": "Metadata","auditID": "12831143-4615-4f4c-a443-6b80c946a0b1","stage": "ResponseComplete","requestURI": "/api/v1/namespaces/default/secrets?fieldManager=kubectl-create","verb": "create","user": {"username": "kubernetes-admin","groups": ["system:masters","system:authenticated"]},"sourceIPs": ["192.168.211.40"],"userAgent": "kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19","objectRef": {"resource": "secrets","namespace": "default","name": "very-secure","apiVersion": "v1"},"responseStatus": {"metadata": {},"code": 201},"requestReceivedTimestamp": "2021-05-24T08:30:54.109005Z","stageTimestamp": "2021-05-24T08:30:54.114724Z","annotations": {"authorization.k8s.io/decision": "allow","authorization.k8s.io/reason": ""}
}4. 创建高级审计(Audit)策略
root@master:/etc/kubernetes/audit# cat policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:- "RequestReceived"
rules:
- level: Metadata- level: Noneverbs: ["get","list","watch"]- level: Metadataresources:- group: ""resources: ["secrets"]- level: RequestResponse#重启kube-apiserver
root@master:~/imagev1.20.7# mv /etc/kubernetes/manifests/kube-apiserver.yaml /etc/kubernetes/
root@master:~/imagev1.20.7# ps aux |grep api
root@master:~/imagev1.20.7# mv /etc/kubernetes/kube-apiserver.yaml /etc/kubernetes/manifests/kube-apiserver.yamlroot@master:~/imagev1.20.7# ps aux |grep api
root 25311 102 19.6 1165724 399712 ? Ssl 01:49 0:08 kube-apiserver --audit-policy-file=/etc/kubernetes/audit/policy.yaml --audit-log-path=/etc/kubernetes/audit/logs/audit.log --audit-log-maxsize=500 --audit-log-maxbackup=5 --advertise-address=192.168.211.40 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --insecure-port=0 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/12 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.keyroot@master:/etc/kubernetes/manifests# tail /etc/kubernetes/audit/logs/audit.log | jq .
{"kind": "Event","apiVersion": "audit.k8s.io/v1","level": "RequestResponse","auditID": "af001aec-e743-40fb-9530-33d78b0b837a","stage": "ResponseComplete","requestURI": "/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-controller-manager?timeout=10s","verb": "update","user": {"username": "system:kube-controller-manager","groups": ["system:authenticated"]},"sourceIPs": ["192.168.211.40"],"userAgent": "kube-controller-manager/v1.20.7 (linux/amd64) kubernetes/132a687/leader-election","objectRef": {"resource": "leases","namespace": "kube-system","name": "kube-controller-manager","uid": "bcb35dd3-5cb0-4460-99af-dcedb37a6bfa","apiGroup": "coordination.k8s.io","apiVersion": "v1","resourceVersion": "33178"},"responseStatus": {"metadata": {},"code": 200},"requestObject": {"kind": "Lease","apiVersion": "coordination.k8s.io/v1","metadata": {"name": "kube-controller-manager","namespace": "kube-system","uid": "bcb35dd3-5cb0-4460-99af-dcedb37a6bfa","resourceVersion": "33178","creationTimestamp": "2021-05-14T08:37:45Z","managedFields": [{"manager": "kube-controller-manager","operation": "Update","apiVersion": "coordination.k8s.io/v1","time": "2021-05-14T08:37:45Z","fieldsType": "FieldsV1","fieldsV1": {"f:spec": {"f:acquireTime": {},"f:holderIdentity": {},"f:leaseDurationSeconds": {},"f:leaseTransitions": {},"f:renewTime": {}}}}]},"spec": {"holderIdentity": "master_0b1b6fb7-55d4-4a8b-b560-bc283491de73","leaseDurationSeconds": 15,"acquireTime": "2021-05-24T09:05:09.579371Z","renewTime": "2021-05-24T09:05:54.355135Z","leaseTransitions": 7}},"responseObject": {"kind": "Lease","apiVersion": "coordination.k8s.io/v1","metadata": {"name": "kube-controller-manager","namespace": "kube-system","uid": "bcb35dd3-5cb0-4460-99af-dcedb37a6bfa","resourceVersion": "33179","creationTimestamp": "2021-05-14T08:37:45Z","managedFields": [{"manager": "kube-controller-manager","operation": "Update","apiVersion": "coordination.k8s.io/v1","time": "2021-05-14T08:37:45Z","fieldsType": "FieldsV1","fieldsV1": {"f:spec": {"f:acquireTime": {},"f:holderIdentity": {},"f:leaseDurationSeconds": {},"f:leaseTransitions": {},"f:renewTime": {}}}}]},"spec": {"holderIdentity": "master_0b1b6fb7-55d4-4a8b-b560-bc283491de73","leaseDurationSeconds": 15,"acquireTime": "2021-05-24T09:05:09.579371Z","renewTime": "2021-05-24T09:05:54.355135Z","leaseTransitions": 7}},"requestReceivedTimestamp": "2021-05-24T09:05:54.382234Z","stageTimestamp": "2021-05-24T09:05:54.397800Z","annotations": {"authorization.k8s.io/decision": "allow","authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}
}5. 审查API access 历史
root@master:/etc/kubernetes/manifests# k create sa very-crazy-sa
serviceaccount/very-crazy-sa created
root@master:/etc/kubernetes/manifests# k get sa
NAME SECRETS AGE
default 1 10d
very-crazy-sa 1 5s
root@master:/etc/kubernetes/manifests# k get secret
NAME TYPE DATA AGE
default-token-4lh26 kubernetes.io/service-account-token 3 10d
very-crazy-sa-token-fr7sw kubernetes.io/service-account-token 3 46s
very-secure Opaque 1 52m
root@master:/etc/kubernetes/manifests# cat /etc/kubernetes/audit/logs/audit.log |grep very-crazy-sa
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1332e3c4-63d1-408e-b2d0-95b21774cd2d","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/serviceaccounts?fieldManager=kubectl-create","verb":"create","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.211.40"],"userAgent":"kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19","objectRef":{"resource":"serviceaccounts","namespace":"default","name":"very-crazy-sa","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"very-crazy-sa","creationTimestamp":null}},"responseObject":{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"very-crazy-sa","namespace":"default","uid":"26cc66f7-cf7d-443a-8bb0-b1b9af6bd30a","resourceVersion":"34576","creationTimestamp":"2021-05-24T09:22:24Z"}},"requestReceivedTimestamp":"2021-05-24T09:22:24.643249Z","stageTimestamp":"2021-05-24T09:22:24.652927Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"96c8fea3-0874-46a7-baed-e32c07316529","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/secrets","verb":"create","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["192.168.211.40"],"userAgent":"kube-controller-manager/v1.20.7 (linux/amd64) kubernetes/132a687/tokens-controller","objectRef":{"resource":"secrets","namespace":"default","name":"very-crazy-sa-token-fr7sw","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2021-05-24T09:22:24.676670Z","stageTimestamp":"2021-05-24T09:22:24.686139Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"27737c46-ab58-4b5b-a12c-b3974e7ecbff","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/serviceaccounts/very-crazy-sa","verb":"update","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["192.168.211.40"],"userAgent":"kube-controller-manager/v1.20.7 (linux/amd64) kubernetes/132a687/tokens-controller","objectRef":{"resource":"serviceaccounts","namespace":"default","name":"very-crazy-sa","uid":"26cc66f7-cf7d-443a-8bb0-b1b9af6bd30a","apiVersion":"v1","resourceVersion":"34576"},"responseStatus":{"metadata":{},"code":200},"requestObject":{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"very-crazy-sa","namespace":"default","uid":"26cc66f7-cf7d-443a-8bb0-b1b9af6bd30a","resourceVersion":"34576","creationTimestamp":"2021-05-24T09:22:24Z"},"secrets":[{"name":"very-crazy-sa-token-fr7sw"}]},"responseObject":{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"very-crazy-sa","namespace":"default","uid":"26cc66f7-cf7d-443a-8bb0-b1b9af6bd30a","resourceVersion":"34578","creationTimestamp":"2021-05-24T09:22:24Z"},"secrets":[{"name":very-crazy-sa-token-fr7sw"}]},"requestReceivedTimestamp":"2021-05-24T09:22:24.688390Z","stageTimestamp":"2021-05-24T09:22:24.691198Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}
root@master:/cks/runtime-security# k run accessor --image=nginx --dry-run=client -oyaml > pod.yamlroot@master:~/cks/runtime-security# vim pod3.yaml
apiVersion: v1
kind: Pod
metadata:creationTimestamp: nulllabels:run: accessorname: accessor
spec:serviceAccountName: very-crazy-sa #添加此行containers:- image: nginxname: accessorresources: {}dnsPolicy: ClusterFirstrestartPolicy: Always
status: {}root@master:~/cks/runtime-security# k create -f pod.yaml
pod/accessor created
root@master:~/cks/runtime-security# k get pod accessor -w
NAME READY STATUS RESTARTS AGE
accessor 0/1 ContainerCreating 0 11s
accessor 1/1 Running 0 20sroot@master:~/cks/runtime-security# cat /etc/kubernetes/audit/logs/audit.log |grep accessor
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1025990a-e51c-4c51-9010-6436999a88cb","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods/accessor/status","verb":"patch","user":{"username":"system:node:node2","groups":["system:nodes","system:authenticated"]},"sourceIPs":["192.168.211.42"],"userAgent":"kubelet/v1.20.1 (linux/amd64) kubernetes/c4d7527","objectRef":{"resource":"pods","namespace":"default","name":"accessor","apiVersion":"v1","subresource":"status"},"responseStatus":{"metadata":{},"code":200},"requestObject":{"metadata":{"uid":"d67a9290-1dc8-4f14-ac84-88e9ae82d2a2"},"status":{"$setElementOrder/conditions":[{"type":"Initialized"},{"type":"Ready"},{"type":"ContainersReady"},{"type":"PodScheduled"}],"conditions":[{"lastTransitionTime":"2021-05-24T09:29:44Z","message":null,"reason":null,"status":"True","type":"Ready"},{"lastTransitionTime":"2021-05-24T09:29:44Z","message":null,"reason":null,"status":"True","type":"ContainersReady"}],"containerStatuses":[{"containerID":"docker://d80411bf54156c9f65c4887c4255dc545b8ebdf518d4d9470f23b0ad3f984b39","image":"nginx:latest","imageID":"docker-pullable://nginx@sha256:df13abe416e37eb3db4722840dd479b00ba193ac6606e7902331dcea50f4f1f2","lastState":{},"name":"accessor","ready":true,"restartCount":0,"started":true,"state":{"running":{"startedAt":"2021-05-24T09:29:43Z"}}}],"phase":"Running","podIP":"10.244.104.11","podIPs":[{"ip":"10.244.104.11"}]}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"accessor","namespace":"default","uid":"d67a9290-1dc8-4f14-ac84-88e9ae82d2a2","resourceVersion":"35224","creationTimestamp":"2021-05-24T09:29:24Z","labels":{"run":"accessor"},"annotations":{"cni.projectcalico.org/podIP":"10.244.104.11/32","cni.projectcalico.org/podIPs":"10.244.104.11/32"},"managedFields":[{"manager":"kubectl-create","operation":"Update","apiVersion":"v1","time":"2021-05-24T09:29:24Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:run":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"accessor\"}":{".":{},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:enableServiceLinks":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:serviceAccount":{},"f:serviceAccountName":{},"f:terminationGracePeriodSeconds":{}}}},{"manager":"calico","operation":"Update","apiVersion":"v1","time":"2021-05-24T09:29:26Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:cni.projectcalico.org/podIP":{},"f:cni.projectcalico.org/podIPs":{}}}}},{"manager":"kubelet","operation":"Update","apiVersion":"v1","time":"2021-05-24T09:29:44Z","fieldsType":"FieldsV1","fieldsV1":{"f:status":{"f:conditions":{"k:{\"type\":\"ContainersReady\"}":{".":{},"f:lastProbeTime":{},"f:lastTransitionTime":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Initialized\"}":{".":{},"f:lastProbeTime":{},"f:lastTransitionTime":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Ready\"}":{".":{},"f:lastProbeTime":{},"f:lastTransitionTime":{},"f:status":{},"f:type":{}}},"f:containerStatuses":{},"f:hostIP":{},"f:phase":{},"f:podIP":{},"f:podIPs":{".":{},"k:{\"ip\":\"10.244.104.11\"}":{".":{},"f:ip":{}}},"f:startTime":{}}}}]},"spec":{"volumes":[{"name":"very-crazy-sa-token-fr7sw","secret":{"secretName":"very-crazy-sa-token-fr7sw","defaultMode":420}}],"containers":[{"name":"accessor","image":"nginx","resources":{},"volumeMounts":[{"name":"very-crazy-sa-token-fr7sw","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"very-crazy-sa","serviceAccount":"very-crazy-sa","nodeName":"node2","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true,"preemptionPolicy":"PreemptLowerPriority"},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-05-24T09:29:24Z"},{"type":"Ready","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-05-24T09:29:44Z"},{"type":"ContainersReady","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-05-24T09:29:44Z"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-05-24T09:29:24Z"}],"hostIP":"192.168.211.42","podIP":"10.244.104.11","podIPs":[{"ip":"10.244.104.11"}],"startTime":"2021-05-24T09:29:24Z","containerStatuses":[{"name":"accessor","state":{"running":{"startedAt":"2021-05-24T09:29:43Z"}},"lastState":{},"ready":true,"restartCount":0,"image":"nginx:latest","imageID":"docker-pullable://nginx@sha256:df13abe416e37eb3db4722840dd479b00ba193ac6606e7902331dcea50f4f1f2","containerID":"docker://d80411bf54156c9f65c4887c4255dc545b8ebdf518d4d9470f23b0ad3f984b39","started":true}],"qosClass":"BestEffort"}},"requestReceivedTimestamp":"2021-05-24T09:29:44.384315Z","stageTimestamp":"2021-05-24T09:29:44.426816Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}Kubernetes CKS【23】---Runtime Security - Auditing相关推荐
- Kubernetes CKS【24】---System Hardening - Kernel Hardening Tools(seccomp)
文章目录 1. Seccomp介绍 2. 目标 3. Seccomp for Docker Nginx 4. 启用 RuntimeDefault 5. 创建 Seccomp 文件 6. Kind 创建 ...
- Kubernetes CKS【10】---Cluster Hardening - Restrict API Access
文章目录 1. 介绍 2. Practice - Anonymous Access 3. Practice - Insecure Access 4. Practice - Manual API Req ...
- 小学一年级语文考试试题【23】
小学一年级语文考试试题[23] 1. 冀教版一年级语文上册期末复习题精选及答案(二) 2. 冀教版一年级语文上册期末复习题精选及答案(一) 3. 一年级语文上册期末检测题及答案 4. ...
- 力扣【23】合并K个排序链表
题目: 给你一个链表数组,每个链表都已经按升序排列. 请你将所有链表合并到一个升序链表中,返回合并后的链表. 示例 1: 输入:lists = [[1,4,5],[1,3,4],[2,6]] 输出:[ ...
- 在线支付系列【23】支付宝支付接入指南
有道无术,术尚可求,有术无道,止于术. 文章目录 前言 接入指南 1. 创建应用 2. 绑定应用 3. 配置密钥 4. 上线应用 5. 开通产品 沙箱环境 开发前准备(沙箱环境) 1. 获取参数.秘钥 ...
- 【Spring】Spring Security OAuth2 JWT 认证
1.概述 Spring Security OAuth2 JWT 认证服务器配置 Spring Security OAuth2 JWT 资源服务器配置 Spring Security OAuth2 Re ...
- 【转】RunTime.getRunTime().addShutdownHook用法
Runtime.getRuntime().addShutdownHook(shutdownHook); 这个方法的含义说明: 这个方法的意思就是在jvm中增加一个关闭的钩子,当jvm关闭的时候,会执行 ...
- Spring Cloud Open Feign系列【23】OAuth2FeignRequestInterceptor、BasicAuthRequestInterceptor拦截器解析
有道无术,术尚可求,有术无道,止于术. 资料整理来自网络 文章目录 BasicAuthRequestInterceptor Basic 认证 使用案例 源码 OAuth2FeignRequestInt ...
- Kubernetes 开发【1】——webhook 实现 API Server 请求拦截和修改
目录 技术背景 什么是admission controller? 应用场景 具体实现 代码结构 签发证书 创建对象 测试api 技术背景 什么是admission controller? admiss ...
最新文章
- 深入jQuery中的data()
- [jdk8]Predicate 函数式接口
- 百款APP嵌入 KeyMob移动广告聚合平台发布十周
- QT 中使用 c++ 的指针
- HTTP协议基础知识总结
- 张大奕网店关联公司被行政处罚:因以不合格产品冒充合格产品
- 《卓有成效的管理者》培训分享——来自项目管理群的讨论
- 工作展望简短_元旦祝福语大全简短
- TOB、TOC、TOVC
- 可编译的java代码_有没有编译方法可以运行Java代码?
- sqlserver 当月、 时间_SQLServer取系统当前时间
- tp摄像头的默认地址_TPLINK默认IP地址是什么?
- echarts的边框图片之切图(重要)以及公共面板样式的制作
- Python中遇到pcap not match 问题
- 新浪微博三方登陆(获取用户信息接口及描述)
- java设计模式(1)
- 揭秘IBM架构设计方法论 —— Solution Design II
- HTMLa标签常用的四种链接
- 《软件体系结构》习题解答(二)
- JoyStick游戏杆编程实践