Kubernetes CKS 2021【5】---Cluster Setup - Node Metadata

Kubernetes CKS 2021【5】---Cluster Setup - Node Metadata

文章目录

​​1. 介绍​​​​2. Practice: Access Node Metadata​​​​3. Practice: Protect Node Metadata via NetworkPolicy​​

Kubernetes安全专家认证 (CKS)考试动员云原生圣经

1. 介绍

2. Practice: Access Node Metadata

参考链接：​​​"-H "Metadata-Flavor: Google"curl "-H "Metadata-Flavor: Google"root@master:~/clash# k run nginx --image=nginxpod/nginx createdroot@master:~/clash# k get podsNAME READY STATUS RESTARTS AGEbackend 1/1 Running 0 43hnginx 1/1 Running 0 22spod1 1/1 Running 0 20hpod2 1/1 Running 0 20hroot@master:~/clash# k exec -ti nginx bashroot@nginx:/# curl "-H "Metadata-Flavor: Google"

3. Practice: Protect Node Metadata via NetworkPolicy

root@master:~/cks/metadata# cat deny.yaml# all pods in namespace cannot access metadata endpointapiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: cloud-metadata-deny namespace: defaultspec: podSelector: {} policyTypes: - Egress egress: - to: - ipBlock: cidr: 0.0.0.0/0 except: - 169.254.169.254/32root@master:~/cks/metadata# k create -f deny.yaml networkpolicy.networking.k8s.io/cloud-metadata-deny createdroot@master:~/clash# k exec -ti nginx bashroot@nginx:/# curl "-H "Metadata-Flavor: Google" ## 卡住root@master:~/cks/metadata# cat allow.yaml# only pods with label are allowed to access metadata endpointapiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: cloud-metadata-allow namespace: defaultspec: podSelector: matchLabels: role: metadata-accessor policyTypes: - Egress egress: - to: - ipBlock: cidr: 169.254.169.254/32root@master:~/cks/metadata# k create -f allow.yaml networkpolicy.networking.k8s.io/cloud-metadata-allow createdroot@master:~/cks/metadata# k label pod nginx role=metadata-accessorpod/nginx labeledroot@master:~/cks/metadata# k get pods nginx --show-labelsNAME READY STATUS RESTARTS AGE LABELSnginx 1/1 Running 0 10m role=metadata-accessor,run=nginxroot@master:~/clash# k exec -ti nginx bashroot@nginx:/# curl "-H "Metadata-Flavor: Google" #正常访问

测试删除metadata中的role

root@master:~/cks/metadata# k edit pod nginxmetadata: annotations: cni.projectcalico.org/podIP: 192.168.104.31/32 creationTimestamp: "2021-04-22T03:17:45Z" labels: role: metadata-accessor #删除 run: nginx name: nginx namespace: defaultroot@master:~/clash# k exec -ti nginx bashroot@nginx:/# curl "-H "Metadata-Flavor: Google" #卡住无法访问

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。