1) secret 문제
문제
Create a Kubernetes secret as follows:
- Name: super-secret
- password: bob
- Create a pod named pod-secrets-via-file Image, which mounts a secret named super-secret at /secrets.
- Create a second pod named pod-secrets-via-env Image, which exports password as CONFIDENTIAL
풀이
명령어는 검색을 해결해야한다..from-literal 이걸 기억해야한다!
- https://kubernetes.io/search/?q=from-literal
- https://kubernetes.io/docs/concepts/configuration/secret/#restriction-secret-must-exist
- https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data
- Create a pod named pod-secrets-via-file Image, which mounts a secret named super-secret at /secrets.
apiVersion: v1
kind: Pod
metadata:
name: pod-secrets-via-file
spec:
volumes:
- name: bob
secret:
secretName: super-secret
containers:
- name: dotfile-test-container
image: registry.k8s.io/busybox
command:
- ls
- "-l"
- "/secrets"
volumeMounts:
- name: bob
readOnly: true
mountPath: "/secrets"
- Create a second pod named pod-secrets-via-env Image, which exports password as CONFIDENTIAL
apiVersion: v1
kind: Pod
metadata:
name: pod-secrets-via-env
spec:
containers:
- name: mycontainer
image: redis
env:
- name: CONFIDENTIAL
valueFrom:
secretKeyRef:
name: super-secret
key: password
2) ClusterRole & ServiceAccount & RoleBinding 문제
문제
You have been asked to create a new ClusterRole for a deployment pipeline and bind it to a specific ServiceAccount scoped to a specific namespace.
Create a new ClusterRole named deployment-clusterrole, which only allows to create the following
resource types:
- Deployment
- StatefulSet
- DaemonSet
Create a new ServiceAccount named cicd-token in the existing namespace app-team1.
Bind the new ClusterRole deployment-clusterrole lo the new ServiceAccount cicd-token , limited to the namespace app-team1.
풀이
- Task should be complete on node -1 master, 2 worker for this connect use command
# cluster role 생성
kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployment,statefulsets,daemonsets
# service account 생성
kubectl create serviceaccount cicd-token --namespace=app-team1
# role binding 생성
kubectl create rolebinding deployment-clusterrole --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token --namespace=app-team1
csr
# CSR(Certificate Signing Request) 생성
openssl genrsa -out myuser.key 2048
openssl req -new -key myuser.key -out myuser.csr -subj "/CN=myuser"
# CSR 승인
# kubectl certificate approve <certificate-signing-request-name>
kubectl certificate approve myuser.csr
# Role 생성
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: <네임스페이스>
name: <Role 이름>
rules:
- apiGroups: [""]
resources: ["pods", "services", "deployments"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
# RoleBinding 생성
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: <네임스페이스>
name: <RoleBinding 이름>
subjects:
- kind: User
name: <유저 이름>
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: <Role 이름>
apiGroup: rbac.authorization.k8s.io