亚欧色一区w666天堂,色情一区二区三区免费看,少妇特黄A片一区二区三区,亚洲人成网站999久久久综合,国产av熟女一区二区三区

  • 發布文章
  • 消息中心
點贊
收藏
評論
分享
原創

使用K8S審計進入容器操作

2023-10-25 01:13:55
22
0
 
    Kubernetes提供了原生審計功能,其審計是用于記錄外部對 Kubernetes API 的訪問和操作的。它記錄了對集群資源的創建、修改和刪除等操作,以及與這些操作相關的用戶、時間戳和請求信息。
    由于原生審計功能主要關注對 Kubernetes API 的訪問和操作,它能夠審計到對于容器的exec操作,具體操作如下:
     1、定義審計策略,比如審計對象是pod相關的全部操作:
apiVersion: audit.k8s.io/v1 
kind: Policy
rules:
  - level: Request
    resources:
    - group: ""
      resources: ["pods/*"]
    verbs: ["*"]
       2、啟用 API Server 的審計功能
        設置kube-apiserver的兩個啟動參數audit-policy-file和audit-log-path:
- --audit-policy-file=/root/audit/policy.yaml
- --audit-log-path=/var/log/pods.audit
- --audit-log-maxage=7
- --audit-log-maxbackup=4
- --audit-log-maxsize=10
- --audit-log-format=json
        3、kube-apiserver重啟
        4、執行pod exec操作,觀察審計日志輸出:
             示例1:執行kubectl exec  nginx-6947d66995-6wwm6 -it sh
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Request","auditID":"c8259450-a7da-406b-ab93-8950dfabe4aa","stage":"RequestReceived","requestURI":"/api/v1/namespaces/default/pods/nginx-6947d66995-6wwm6/exec?command=sh\u0026container=nginx\u0026stdin=true\u0026stdout=true\u0026tty=true","verb":"create","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.59.115"],"userAgent":"kubectl/v1.27.4 (linux/amd64) kubernetes/fa3d799","objectRef":{"resource":"pods","namespace":"default","name":"nginx-6947d66995-6wwm6","apiVersion":"v1","subresource":"exec"},"requestReceivedTimestamp":"2023-08-02T09:53:52.632620Z","stageTimestamp":"2023-08-02T09:53:52.632620Z"}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Request","auditID":"c8259450-a7da-406b-ab93-8950dfabe4aa","stage":"ResponseStarted","requestURI":"/api/v1/namespaces/default/pods/nginx-6947d66995-6wwm6/exec?command=sh\u0026container=nginx\u0026stdin=true\u0026stdout=true\u0026tty=true","verb":"create","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.59.115"],"userAgent":"kubectl/v1.27.4 (linux/amd64) kubernetes/fa3d799","objectRef":{"resource":"pods","namespace":"default","name":"nginx-6947d66995-6wwm6","apiVersion":"v1","subresource":"exec"},"responseStatus":{"metadata":{},"code":101},"requestReceivedTimestamp":"2023-08-02T09:53:52.632620Z","stageTimestamp":"2023-08-02T09:53:52.651550Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Request","auditID":"c8259450-a7da-406b-ab93-8950dfabe4aa","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods/nginx-6947d66995-6wwm6/exec?command=sh\u0026container=nginx\u0026stdin=true\u0026stdout=true\u0026tty=true","verb":"create","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.59.115"],"userAgent":"kubectl/v1.27.4 (linux/amd64) kubernetes/fa3d799","objectRef":{"resource":"pods","namespace":"default","name":"nginx-6947d66995-6wwm6","apiVersion":"v1","subresource":"exec"},"responseStatus":{"metadata":{},"code":101},"requestReceivedTimestamp":"2023-08-02T09:53:52.632620Z","stageTimestamp":"2023-08-02T09:54:37.965628Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

            示例2:執行kubectl exec  nginx-6947d66995-6wwm6 -it -- mkdir /test

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Request","auditID":"3417527d-4ad3-4028-b6ad-5540c7076c48","stage":"RequestReceived","requestURI":"/api/v1/namespaces/default/pods/nginx-6947d66995-6wwm6/exec?command=mkdir\u0026command=%2Ftest\u0026container=nginx\u0026stdin=true\u0026stdout=true\u0026tty=true","verb":"create","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.59.115"],"userAgent":"kubectl/v1.27.4 (linux/amd64) kubernetes/fa3d799","objectRef":{"resource":"pods","namespace":"default","name":"nginx-6947d66995-6wwm6","apiVersion":"v1","subresource":"exec"},"requestReceivedTimestamp":"2023-08-02T09:43:26.965583Z","stageTimestamp":"2023-08-02T09:43:26.965583Z"}

             驗證結果說明原生審計功能只能記錄exec后面直接跟命令操作的場景,對于執行exec -it bash后進入容器的命令并不能記錄。

版權聲明:本文內容系天翼云實名用戶自發貢獻,版權歸原作者所有,天翼云開發者社區不擁有其著作權,亦不承擔相應法律責任,未經許可,不得轉載。

如有疑問或爭議,請聯系ctyunbbs@chinatelecom.cn刪除。

0條評論
0 / 1000
z****n
5文章數
0粉絲數
z****n
5 文章 | 0 粉絲
原創

使用K8S審計進入容器操作

2023-10-25 01:13:55
22
0
 
    Kubernetes提供了原生審計功能,其審計是用于記錄外部對 Kubernetes API 的訪問和操作的。它記錄了對集群資源的創建、修改和刪除等操作,以及與這些操作相關的用戶、時間戳和請求信息。
    由于原生審計功能主要關注對 Kubernetes API 的訪問和操作,它能夠審計到對于容器的exec操作,具體操作如下:
     1、定義審計策略,比如審計對象是pod相關的全部操作:
apiVersion: audit.k8s.io/v1 
kind: Policy
rules:
  - level: Request
    resources:
    - group: ""
      resources: ["pods/*"]
    verbs: ["*"]
       2、啟用 API Server 的審計功能
        設置kube-apiserver的兩個啟動參數audit-policy-file和audit-log-path:
- --audit-policy-file=/root/audit/policy.yaml
- --audit-log-path=/var/log/pods.audit
- --audit-log-maxage=7
- --audit-log-maxbackup=4
- --audit-log-maxsize=10
- --audit-log-format=json
        3、kube-apiserver重啟
        4、執行pod exec操作,觀察審計日志輸出:
             示例1:執行kubectl exec  nginx-6947d66995-6wwm6 -it sh
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Request","auditID":"c8259450-a7da-406b-ab93-8950dfabe4aa","stage":"RequestReceived","requestURI":"/api/v1/namespaces/default/pods/nginx-6947d66995-6wwm6/exec?command=sh\u0026container=nginx\u0026stdin=true\u0026stdout=true\u0026tty=true","verb":"create","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.59.115"],"userAgent":"kubectl/v1.27.4 (linux/amd64) kubernetes/fa3d799","objectRef":{"resource":"pods","namespace":"default","name":"nginx-6947d66995-6wwm6","apiVersion":"v1","subresource":"exec"},"requestReceivedTimestamp":"2023-08-02T09:53:52.632620Z","stageTimestamp":"2023-08-02T09:53:52.632620Z"}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Request","auditID":"c8259450-a7da-406b-ab93-8950dfabe4aa","stage":"ResponseStarted","requestURI":"/api/v1/namespaces/default/pods/nginx-6947d66995-6wwm6/exec?command=sh\u0026container=nginx\u0026stdin=true\u0026stdout=true\u0026tty=true","verb":"create","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.59.115"],"userAgent":"kubectl/v1.27.4 (linux/amd64) kubernetes/fa3d799","objectRef":{"resource":"pods","namespace":"default","name":"nginx-6947d66995-6wwm6","apiVersion":"v1","subresource":"exec"},"responseStatus":{"metadata":{},"code":101},"requestReceivedTimestamp":"2023-08-02T09:53:52.632620Z","stageTimestamp":"2023-08-02T09:53:52.651550Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Request","auditID":"c8259450-a7da-406b-ab93-8950dfabe4aa","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods/nginx-6947d66995-6wwm6/exec?command=sh\u0026container=nginx\u0026stdin=true\u0026stdout=true\u0026tty=true","verb":"create","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.59.115"],"userAgent":"kubectl/v1.27.4 (linux/amd64) kubernetes/fa3d799","objectRef":{"resource":"pods","namespace":"default","name":"nginx-6947d66995-6wwm6","apiVersion":"v1","subresource":"exec"},"responseStatus":{"metadata":{},"code":101},"requestReceivedTimestamp":"2023-08-02T09:53:52.632620Z","stageTimestamp":"2023-08-02T09:54:37.965628Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

            示例2:執行kubectl exec  nginx-6947d66995-6wwm6 -it -- mkdir /test

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Request","auditID":"3417527d-4ad3-4028-b6ad-5540c7076c48","stage":"RequestReceived","requestURI":"/api/v1/namespaces/default/pods/nginx-6947d66995-6wwm6/exec?command=mkdir\u0026command=%2Ftest\u0026container=nginx\u0026stdin=true\u0026stdout=true\u0026tty=true","verb":"create","user":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.59.115"],"userAgent":"kubectl/v1.27.4 (linux/amd64) kubernetes/fa3d799","objectRef":{"resource":"pods","namespace":"default","name":"nginx-6947d66995-6wwm6","apiVersion":"v1","subresource":"exec"},"requestReceivedTimestamp":"2023-08-02T09:43:26.965583Z","stageTimestamp":"2023-08-02T09:43:26.965583Z"}

             驗證結果說明原生審計功能只能記錄exec后面直接跟命令操作的場景,對于執行exec -it bash后進入容器的命令并不能記錄。

版權聲明:本文內容系天翼云實名用戶自發貢獻,版權歸原作者所有,天翼云開發者社區不擁有其著作權,亦不承擔相應法律責任,未經許可,不得轉載。

如有疑問或爭議,請聯系ctyunbbs@chinatelecom.cn刪除。

文章來自個人專欄
文章 | 訂閱
0條評論
0 / 1000
請輸入你的評論
0
0