Completek8s Classroom notes 31/Oct/2023

Cert-Manager

  • Refer Here for cert manager and Refer Here for official docs
  • This is an addon into k8s that automates the management of X.509 certificates
  • For securing communication we need TLS certificates & managing these certificates manually can be complex in dynamic environments such as k8s.
  • Cert-Manager can help automate this process
  • What Cert-Manager can do
    • Automatic Certificate issuance
    • Certificate Renewal
    • Integration with Certificate Authorities: Can integrate with variety of certificate sources
      • External CA like Let’s Encrypt
      • Self Signed Certificates
      • Private CA or enterpise solutions
      • Vault
        Preview
  • Install Cert-Manager in k8s cluster Refer Here
  • To issue certificates we have two kinds of issuers
    • Issuer: Works in a single namespace
    • ClusterIssuer: Works cluster-wide
  • Refer Here for a sample cluster issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:

    email: qtkhajadevops@gmail.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-staging
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: nginx
  • Lets create a ingress 
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minimal-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    cert-manager.io/issuer: "letsencrypt-staging"
spec:
  ingressClassName: nginx
  tls:
  - hosts:
      - autoingress.com
      - www.autoingress.com
    secretName: autoingress-com-tls-secret
  rules:
  - host: autoingress.com
    http:
      paths:
      - path: /service1
        pathType: Prefix
        backend:
          service:
            name: service1
            port:
              number: 80
      - path: /service2
        pathType: Prefix
        backend:
          service:
            name: service2
            port:
              number: 80
  • To be fixed in next session

ScenarioL A kubernetes administrator Can observe actions taken by an attacker

  • To do this activity we need behavior analysis tools. The popular ones are
  • Documenation: Refer Here

Exercise:

  • Findout what is PodSecurityPolicy ?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner