Completek8s Classroom notes 31/Oct/2023

Cert-Manager

• Refer Here for cert manager and Refer Here for official docs
• This is an addon into k8s that automates the management of X.509 certificates
• For securing communication we need TLS certificates & managing these certificates manually can be complex in dynamic environments such as k8s.
• Cert-Manager can help automate this process
• What Cert-Manager can do
  • Automatic Certificate issuance
  • Certificate Renewal
  • Integration with Certificate Authorities: Can integrate with variety of certificate sources
    • External CA like Let’s Encrypt
    • Self Signed Certificates
    • Private CA or enterpise solutions
    • Vault
      
• Install Cert-Manager in k8s cluster Refer Here
• To issue certificates we have two kinds of issuers
  • Issuer: Works in a single namespace
  • ClusterIssuer: Works cluster-wide
• Refer Here for a sample cluster issuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:

    email: qtkhajadevops@gmail.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-staging
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: nginx

• Lets create a ingress

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minimal-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    cert-manager.io/issuer: "letsencrypt-staging"
spec:
  ingressClassName: nginx
  tls:
  - hosts:
      - autoingress.com
      - www.autoingress.com
    secretName: autoingress-com-tls-secret
  rules:
  - host: autoingress.com
    http:
      paths:
      - path: /service1
        pathType: Prefix
        backend:
          service:
            name: service1
            port:
              number: 80
      - path: /service2
        pathType: Prefix
        backend:
          service:
            name: service2
            port:
              number: 80

• To be fixed in next session

ScenarioL A kubernetes administrator Can observe actions taken by an attacker

• To do this activity we need behavior analysis tools. The popular ones are
  • Falco Refer Here
  • Tracee
  • Tetragon
• Documenation: Refer Here

Exercise:

• Findout what is PodSecurityPolicy ?