1
Q
What questions are to be made about the kube-apiserver in terms of security?
A
- Who can access?
- What can they do?
2
Q
How is Authentication in kube-apiserver dealt with?
A
- Files: Username and PWs
- Files: Username and Tokens
- Certificates
- External Authentication providers - LDAP
- Service Accounts
3
Q
What Authorization mechanisms exists for kube-apiserver?
A
- Role-based access controls (RBAC) Authorization
- Attribute based access controls (ABAC)
- Node Authorization
- Webhook mode
4
Q
Where is TLS encryption used?
A
- between kube-apiserver and all other components
- like schedulers, controllers, Kubelet, kube-proxy, etcd
5
Q
How is user (admins, devs) access managed in Kubernetes?
A
- managed by kube-apiserver
- it authenticates request
- afterwards processes it
6
Q
What Auth-mechanisms can be configured for the kube-apiserver?
A
- static password file (username + pw)
- static token fole (username + token)
- certificates
- Identity Services (third party)
7
Q
How does static password file authentication work? (Basic)
A
- create a list of users and their password in a csv file
- source for user information
- parts: pw,username,userid
- optionally fourth column: group1
- the file can be passed as on option (–) to the kube-apiserver:
- –basic-auth-file=user-details.csv
- then the kube-apiserver needs to be restarted
8
Q
How can you authenticate yourself in a curl command?
A
with ‘-u “user1:password123”’
9
Q
How does Authentication with a static token file work?
A
- like with a static password file
- four parts:
- token,username,userid,group
10
Q
How can you pass a token-file to the kube-apiserver?
A
–token-auth-file=user-token-details.csv
11
Q
How do you authenticate while communicating with the kube-apiserver
A
in curl command:
‘–header “Authorization: Bearer < token>”’
CKAD Preparation
flashcards
Decks in class (35)
# Cards
-
Recap Core Concepts30
-
Configuration15
-
Config - ConfigMaps11
-
Config - Secrets13
-
Config - Security in Docker6
-
Config - Security Kontext8
-
Config - Service Accounts18
-
Config - Resource Requirements19
-
Config - Taints and Tolerations13
-
Config - Node Selectors4
-
Config - Node Affinity12
-
Multi-Container Pods13
-
Observability - Readiness Probes7
-
Observability - Liveness Probes5
-
Observability - Container Logging3
-
Observability - Monitor and Debug Applications7
-
POD Design - Labels, Selectors, Annotations7
-
POD Design - Rolling Updates & Rollbacks in Deployments4
-
POD Design - Deployment Strategies8
-
POD Design - Jobs and Cron Jobs17
-
S&N - Services and Ingress17
-
S&N Network Policies13
-
State Persistence - Volumes17
-
Optional - Storage Classes, StatefulSets13
-
Security - Authentication, Authorization, Admission Control11
-
Security - KubeConfig14
-
Security - API Groups7
-
Security Authorization11
-
Security - Role Based Access Control12
-
Security - Admission Controllers14
-
Security - API Versions13
-
Security - Custom Resource Definition & Custom Controllers11
-
Helm - Introduction and Concepts16
-
Testfragen3
-
Kustomize9
