Task weight: 4%

Use context: kubectl config use-context infra-prod

Namespace security contains five Secrets of type Opaque which can be considered highly confidential. The latest Incident-Prevention-Investigation revealed that ServiceAccount p.auster had too broad access to the cluster for some time. This SA should've never had access to any Secrets in that Namespace.

Find out which Secrets in Namespace security this SA did access by looking at the Audit Logs under /opt/course/18/audit.log.

Change the password to any new string of only those Secrets that were accessed by this SA.

You can use jq to render json more readable. cat data.json | jq

译文

任务权重:4%。

使用环境: kubectl config use-context infra-prod

名称空间 security 包含五个Opaque类型的Secrets,可以认为是高度机密。最新的事件预防调查显示,ServiceAccount p.auster 在一段时间内对集群的访问过于广泛。这个SA本不应该访问该命名空间的任何秘密。

通过查看 /opt/course/18/audit.log 下的审计日志,找出这个SA确实访问了名称空间安全中的哪些秘密。

把密码改成任何新的字符串,只有那些被这个SA访问过的Secrets。

你可以使用jq来使json更加可读。cat data.json | jq

解答
k -n security get secret | grep Opaque

file

grep 'p.auster' /opt/course/18/audit.log | grep Secret | wc -l
grep 'p.auster' /opt/course/18/audit.log | grep Secret | grep list | wc -l
grep 'p.auster' /opt/course/18/audit.log | grep Secret | grep get  | wc -l
cat audit.log | grep "p.auster" | grep Secret | grep get | jq
{
  "kind": "Event",
  "apiVersion": "audit.k8s.io/v1",
  "level": "RequestResponse",
  "auditID": "74fd9e03-abea-4df1-b3d0-9cfeff9ad97a",
  "stage": "ResponseComplete",
  "requestURI": "/api/v1/namespaces/security/secrets/vault-token",
  "verb": "get",
  "user": {
    "username": "system:serviceaccount:security:p.auster",
    "uid": "29ecb107-c0e8-4f2d-816a-b16f4391999c",
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:security",
      "system:authenticated"
    ]
  },
...
  "userAgent": "curl/7.64.0",
  "objectRef": {
    "resource": "secrets",
    "namespace": "security",
    "name": "vault-token",
    "apiVersion": "v1"
  },
 ...
}
{
  "kind": "Event",
  "apiVersion": "audit.k8s.io/v1",
  "level": "RequestResponse",
  "auditID": "aed6caf9-5af0-4872-8f09-ad55974bb5e0",
  "stage": "ResponseComplete",
  "requestURI": "/api/v1/namespaces/security/secrets/mysql-admin",
  "verb": "get",
  "user": {
    "username": "system:serviceaccount:security:p.auster",
    "uid": "29ecb107-c0e8-4f2d-816a-b16f4391999c",
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:security",
      "system:authenticated"
    ]
  },
...
  "userAgent": "curl/7.64.0",
  "objectRef": {
    "resource": "secrets",
    "namespace": "security",
    "name": "mysql-admin",
    "apiVersion": "v1"
  },
...
}

我们看到,secret vault-tokenmysql-admin 被 p.auster访问。因此,我们需要改变这些密码。

echo new-vault-pass | base64
#bmV3LXZhdWx0LXBhc3MK

echo new-mysql-pass | base64
#bmV3LW15c3FsLXBhc3MK

k -n security edit secret vault-token
k -n security edit secret mysql-admin