Cert-Manager
Refer Here for cert manager and Refer Here for official docsThis is an addon into k8s that automates the management of X.509 certificates
For securing communication we need TLS certificates & managing these certificates manually can be complex in dynamic environments such as k8s.
Cert-Manager can help automate this process
What Cert-Manager can do
Automatic Certificate issuance
Certificate Renewal
Integration with Certificate Authorities: Can integrate with variety of certificate sources
External CA like Let’s Encrypt
Self Signed Certificates
Private CA or enterpise solutions
Vault
Install Cert-Manager in k8s cluster Refer Here
To issue certificates we have two kinds of issuers
Issuer: Works in a single namespace
ClusterIssuer: Works cluster-wide
Refer Here for a sample cluster issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: qtkhajadevops@gmail.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: letsencrypt-staging
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: minimal-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
cert-manager.io/issuer: "letsencrypt-staging"
spec:
ingressClassName: nginx
tls:
- hosts:
- autoingress.com
- www.autoingress.com
secretName: autoingress-com-tls-secret
rules:
- host: autoingress.com
http:
paths:
- path: /service1
pathType: Prefix
backend:
service:
name: service1
port:
number: 80
- path: /service2
pathType: Prefix
backend:
service:
name: service2
port:
number: 80
To be fixed in next session
ScenarioL A kubernetes administrator Can observe actions taken by an attacker
To do this activity we need behavior analysis tools. The popular ones are
Documenation: Refer Here
Exercise:
Findout what is PodSecurityPolicy ?
