0
点赞
收藏
分享

微信扫一扫

Kubernetes CKS 2021【5】---Cluster Setup - Node Metadata

you的日常 2022-05-31 阅读 31


文章目录

  • ​​1. 介绍​​
  • ​​2. Practice: Access Node Metadata​​
  • ​​3. Practice: Protect Node Metadata via NetworkPolicy​​
  • Kubernetes安全专家认证 (CKS)考试动员
  • 云原生圣经

1. 介绍

Kubernetes CKS 2021【5】---Cluster Setup - Node Metadata_kubernetes
Kubernetes CKS 2021【5】---Cluster Setup - Node Metadata_bash_02
Kubernetes CKS 2021【5】---Cluster Setup - Node Metadata_.net_03

2. Practice: Access Node Metadata

Kubernetes CKS 2021【5】---Cluster Setup - Node Metadata_bash_04

参考链接:
​​​https://cloud.google.com/compute/docs/storing-retrieving-metadata​​

curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google"


curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/0/" -H "Metadata-Flavor: Google"

root@master:~/clash# k run nginx --image=nginx
pod/nginx created
root@master:~/clash# k get pods
NAME READY STATUS RESTARTS AGE
backend 1/1 Running 0 43h
nginx 1/1 Running 0 22s
pod1 1/1 Running 0 20h
pod2 1/1 Running 0 20h
root@master:~/clash# k exec -ti nginx bash
root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google"

3. Practice: Protect Node Metadata via NetworkPolicy

root@master:~/cks/metadata# cat deny.yaml
# all pods in namespace cannot access metadata endpoint
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cloud-metadata-deny
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 169.254.169.254/32


root@master:~/cks/metadata# k create -f deny.yaml
networkpolicy.networking.k8s.io/cloud-metadata-deny created
root@master:~/clash# k exec -ti nginx bash
root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google" ## 卡住



root@master:~/cks/metadata# cat allow.yaml
# only pods with label are allowed to access metadata endpoint
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cloud-metadata-allow
namespace: default
spec:
podSelector:
matchLabels:
role: metadata-accessor
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 169.254.169.254/32


root@master:~/cks/metadata# k create -f allow.yaml
networkpolicy.networking.k8s.io/cloud-metadata-allow created

root@master:~/cks/metadata# k label pod nginx role=metadata-accessor
pod/nginx labeled


root@master:~/cks/metadata# k get pods nginx --show-labels
NAME READY STATUS RESTARTS AGE LABELS
nginx 1/1 Running 0 10m role=metadata-accessor,run=nginx
root@master:~/clash# k exec -ti nginx bash
root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google" #正常访问

测试删除metadata中的role

root@master:~/cks/metadata# k edit pod nginx
metadata:
annotations:
cni.projectcalico.org/podIP: 192.168.104.31/32
creationTimestamp: "2021-04-22T03:17:45Z"
labels:
role: metadata-accessor #删除
run: nginx
name: nginx
namespace: default

root@master:~/clash# k exec -ti nginx bash
root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google" #卡住无法访问

举报

相关推荐

0 条评论