Task weight: 3%

Use context: kubectl config use-context workload-prod

You received a list from the DevSecOps team which performed a security investigation of the k8s cluster1 (workload-prod). The list states the following about the apiserver setup:

  • Accessible through a NodePort Service

Change the apiserver setup so that:

  • Only accessible through a ClusterIP Service

译文

任务重量:3%。

使用环境: kubectl config use-context workload-prod

你收到一份来自DevSecOps团队的清单,该团队对k8s cluster1(workload-prod)进行了安全调查。该清单对apiserver的设置做了如下说明。

  • 可通过 NodePort 访问

改变apiserver的设置,以便。

  • 只能通过 ClusterIP Service 访问

解答

为了修改apiserver的参数,我们首先ssh进入主节点,检查apiserver进程的参数。

ssh cluster1-controlplane1
ps aux | grep kube-apiserver  #检查api-server
kubectl get svc               #查看svc
cp /etc/kubernetes/manifests/kube-apiserver.yaml .
vim /etc/kubernetes/manifests/kube-apiserver.yaml
#/etc/kubernetes/manifests/kube-apiserver.yaml
...
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=192.168.100.11
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
#    - --kubernetes-service-node-port=31000   # 删除这一行或者设置为0
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
...

删除旧的svc 自动新创建的svc则为clusterIP类型

kubectl delete svc kubernetes
kubectl get svc

file