Task weight: 3%
Use context: kubectl config use-context workload-prod
You received a list from the DevSecOps team which performed a security investigation of the k8s cluster1 (workload-prod). The list states the following about the apiserver setup:
- Accessible through a NodePort Service
Change the apiserver setup so that:
- Only accessible through a ClusterIP Service
译文
任务重量:3%。
使用环境: kubectl config use-context workload-prod
你收到一份来自DevSecOps团队的清单,该团队对k8s cluster1(workload-prod)进行了安全调查。该清单对apiserver的设置做了如下说明。
- 可通过 NodePort 访问
改变apiserver的设置,以便。
- 只能通过 ClusterIP Service 访问
解答
为了修改apiserver的参数,我们首先ssh进入主节点,检查apiserver进程的参数。
ssh cluster1-controlplane1ps aux | grep kube-apiserver #检查api-server
kubectl get svc #查看svc
cp /etc/kubernetes/manifests/kube-apiserver.yaml .
vim /etc/kubernetes/manifests/kube-apiserver.yaml#/etc/kubernetes/manifests/kube-apiserver.yaml
...
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=192.168.100.11
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
# - --kubernetes-service-node-port=31000 # 删除这一行或者设置为0
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
...删除旧的svc 自动新创建的svc则为clusterIP类型
kubectl delete svc kubernetes
kubectl get svc