Using Cert-Manager to encrypt communications
apiVersion: apps/v1
kind: Deployment
metadata:
name: kube-certs
namespace: demo
spec:
selector:
matchLabels:
app: kube-certs
template:
metadata:
labels:
app: kube-certs
spec:
terminationGracePeriodSeconds: 5
containers:
- name: server
image: nginx
imagePullPolicy: Always
ports:
- containerPort: 80
env:
- name: PORT
value: "80"
---
apiVersion: v1
kind: Service
metadata:
name: kube-certs
namespace: demo
spec:
selector:
app: kube-certs
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: kubeissuer
namespace: demo
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: qtkhajadevops@gmail.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: kubeissuer
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/issuer: kubeissuer
cert-manager.io/issue-temporary-certificate: "true"
acme.cert-manager.io/http01-edit-in-place: "true"
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
name: kube-certs-ingress
namespace: demo
spec:
ingressClassName: nginx
rules:
- host: cert.qtaws.fun
http:
paths:
- backend:
service:
name: kube-certs
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- cert.qtaws.fun
secretName: demo
- Refer Here for official docs
- To perform DNS Challenge with
Pod Security Admission
- Pod Security Admission Modes
- enforce: Violations will cause the Pod to be rejected
- audit: Pod creation will be allowed. Violations will be appended to audit log
- warn: Pod creation will be allowed. Violations will be rendered as warnings on console
- Pod Security Admission Levels
- privilege: Fully unrestricted policy
- baseline: Minimal restrictive policy that covers crucial standards
- restricted: Heavily restricted
- Refer Here for official docs
- Refer Here for labels
- Lets create a namespace enforing highest level of security standards
apiVersion: v1
kind: Namespace
metadata:
name: psa-high
labels:
pod-security.kubernetes.io/enforce: restricted
- Lets create some pod which runs with root credentials
apiVersion: v1
kind: Pod
metadata:
name: busybox
namespace: psa-high
spec:
containers:
- image: busybox
name: busybox
command: ["sh","-c","sleep 1d"]
- Apply to observe the following error
apiVersion: v1
kind: Pod
metadata:
name: busybox
namespace: psa-high
spec:
containers:
- image: busybox
name: busybox
command: ["sh","-c","sleep 1d"]
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 2000
runAsGroup: 3000
seccompProfile:
type: RuntimeDefault
-
Using Distrless Container Images Refer Here
-
Optimize containers for usage in Production
- slimtoolkit Refer Here: This will optimize and secure the container image by analysing your application and dependencies
- Dive: Refer Here. This is a tool for exploring layers baked into container image
Like this:
Like Loading...
