IT/Infra&Cloud

[aws] EKS Hands On — Security

Hayley Shim 2023. 10. 29. 00:54

안녕하세요. AWS EKS Hands On 내용을 공유하기 위해 작성한 글입니다.

참고 : https://www.eksworkshop.com/

PREREQUISITES

https://www.eksworkshop.com/020_prerequisites/

https://www.eksworkshop.com/030_eksctl/

Beginner

os 보안 적용

  • 운영적인 측면에서 중요
  • SELinux(using 컨텍스트)를 이용한 컨테이너 호스트 격리
  • AppArmor
  • unix : CHROOT

container image 보안

image 저장소 보안

k8s user/service account

  • user account
  • service account : application level 권한 컨트롤

RBAC

  • Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise.

RBAC Hands-On Process

  1. INSTALL TEST PODS
  2. CREATE A USER
  3. MAP AN IAM USER TO K8S
  4. TEST THE NEW USER
  5. CREATE THE ROLE AND BINDING
cat << EoF > rbacuser-role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: rbac-test
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["list","get","watch"]
- apiGroups: ["extensions","apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch"]
EoFcat << EoF > rbacuser-role-binding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: rbac-test
subjects:
- kind: User
  name: rbac-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
EoF$kubectl apply -f rbacuser-role.yaml
$kubectl apply -f rbacuser-role-binding.yaml$ kubectl get pods -n rbac-test

USING IAM GROUPS TO MANAGE KUBERNETES CLUSTER ACCESS

https://www.eksworkshop.com/beginner/091_iam-groups/

Hands-On Process

  1. CREATE IAM ROLES
  2. CREATE IAM GROUPS
  3. CREATE IAM USERS
  4. CONFIGURE KUBERNETES RBAC
cat << EOF | kubectl apply -f - -n development
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-role
rules:
  - apiGroups:
      - ""
      - "apps"
      - "batch"
      - "extensions"
    resources:
      - "configmaps"
      - "cronjobs"
      - "deployments"
      - "events"
      - "ingresses"
      - "jobs"
      - "pods"
      - "pods/attach"
      - "pods/exec"
      - "pods/log"
      - "pods/portforward"
      - "secrets"
      - "services"
    verbs:
      - "create"
      - "delete"
      - "describe"
      - "get"
      - "list"
      - "patch"
      - "update"
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-role-binding
subjects:
- kind: User
  name: dev-user
roleRef:
  kind: Role
  name: dev-role
  apiGroup: rbac.authorization.k8s.io
EOF

5. CONFIGURE KUBERNETES ROLE ACCESS

  • The aws-auth ConfigMap from the kube-system namespace must be edited in order to allow or delete arn Groups.
  • This file makes the mapping between IAM role and k8S RBAC rights.
eksctl create iamidentitymapping \
  --cluster eksworkshop-eksctl \
  --arn arn:aws:iam::${ACCOUNT_ID}:role/k8sDev \
  --username dev-usereksctl create iamidentitymapping \
  --cluster eksworkshop-eksctl \
  --arn arn:aws:iam::${ACCOUNT_ID}:role/k8sInteg \
  --username integ-usereksctl create iamidentitymapping \
  --cluster eksworkshop-eksctl \
  --arn arn:aws:iam::${ACCOUNT_ID}:role/k8sAdmin \
  --username admin \
  --group system:masters

>> production 환경에서는 aws-auth을 직접 수정하기 보다는 eksctl 명령어를 통해 IAM role과 k8s RBAC 권한을 연결해줍니다.

IAM Role for Service Account(IRSA)

https://www.eksworkshop.com/beginner/110_irsa/

  • OIDC IdP 등록 -> IAM Role 생성 -> IAM Policy 할당 -> K8S SA 생성 -> SA Annotation 추가

security group for pod

  1. SECURITY GROUPS CREATION

2. RDS CREATION

3. CNI CONFIGURATION

$ kubectl -n kube-system set env daemonset aws-node ENABLE_POD_ENI=true  # let's wait for the rolling update of the daemonset 
$kubectl -n kube-system rollout status ds aws-node$  kubectl get nodes \   --selector  eks.amazonaws.com/nodegroup=nodegroup-sec-group \   --show-labelsNAME                                                STATUS   ROLES    AGE   VERSION                LABELS
ip-192-168-30-147.ap-northeast-2.compute.internal   Ready    <none>   19m   v1.21.14-eks-ba74326   alpha.eksctl.io/cluster-name=eksworkshop-eksctl,alpha.eksctl.io/nodegroup-name=nodegroup-sec-group,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/instance-type=m5.large,beta.kubernetes.io/os=linux,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup-image=ami-02b2a87a86751ca3c,eks.amazonaws.com/nodegroup=nodegroup-sec-group,eks.amazonaws.com/sourceLaunchTemplateId=lt-01e0f989c6bd90fff,eks.amazonaws.com/sourceLaunchTemplateVersion=1,failure-domain.beta.kubernetes.io/region=ap-northeast-2,failure-domain.beta.kubernetes.io/zone=ap-northeast-2a,k8s.io/cloud-provider-aws=a94967527effcefb5f5829f529c0a1b9,kubernetes.io/arch=amd64,kubernetes.io/hostname=ip-192-168-30-147.ap-northeast-2.compute.internal,kubernetes.io/os=linux,node.kubernetes.io/instance-type=m5.large,topology.kubernetes.io/region=ap-northeast-2,topology.kubernetes.io/zone=ap-northeast-2a,vpc.amazonaws.com/has-trunk-attached=true

4. SECURITYGROUP POLICY

5. PODS DEPLOYMENTS

 

 

 

blog migration project

written in 2022.10.4

https://medium.com/techblog-hayleyshim/aws-eks-security-56b3761b534a

'IT > Infra&Cloud' 카테고리의 다른 글

[aws] EKS Hands On — EKS Anywhere  (0) 2023.10.29
[aws] EKS Hands On — Blueprints  (0) 2023.10.29
[aws] EKS Hands On — deploy MSA, health checks  (0) 2023.10.29
[aws] GuardDuty, Macie, Inspector  (0) 2023.10.29
[aws] CloudWatch,CloudTrail,Config  (0) 2023.10.29

'IT/Infra&Cloud'의 다른글

  • 현재글[aws] EKS Hands On — Security

관련글

티스토리툴바