文章目录

  • 1. 介绍
  • 2. Create sidecar proxy

1. 介绍





2. Create sidecar proxy

任务

root@master:~/cks/mTLS# k run app --image=bash --command -oyaml --dry-run=client > app.yaml -- sh -c 'ping baidu.com'
root@master:~/cks/mTLS# cat app.yaml
apiVersion: v1
kind: Pod
metadata:creationTimestamp: nulllabels:run: appname: app
spec:containers:- command:- sh- -c- ping baidu.comimage: bashname: appresources: {}dnsPolicy: ClusterFirstrestartPolicy: Always
status: {}
root@master:~/cks/mTLS# k -f app.yaml  create
pod/app createdroot@master:~/cks/mTLS# k get pods -w
NAME   READY   STATUS              RESTARTS   AGE
app    0/1     ContainerCreating   0          14s
app    1/1     Running             0          23s
^Croot@master:~/cks/mTLS# k logs -f app
PING baidu.com (39.156.69.79): 56 data bytes
64 bytes from 39.156.69.79: seq=0 ttl=127 time=7.785 ms
64 bytes from 39.156.69.79: seq=1 ttl=127 time=7.526 ms
64 bytes from 39.156.69.79: seq=2 ttl=127 time=8.031 ms
64 bytes from 39.156.69.79: seq=3 ttl=127 time=8.429 ms
64 bytes from 39.156.69.79: seq=4 ttl=127 time=8.007 ms
64 bytes from 39.156.69.79: seq=5 ttl=127 time=7.250 ms
64 bytes from 39.156.69.79: seq=6 ttl=127 time=8.438 ms
64 bytes from 39.156.69.79: seq=7 ttl=127 time=7.412 ms
64 bytes from 39.156.69.79: seq=8 ttl=127 time=7.328 ms

set-capabilities-for-a-container

root@master:~/cks/securitytext# cat app.yaml
apiVersion: v1
kind: Pod
metadata:creationTimestamp: nulllabels:run: appname: app
spec:containers:- command:- sh- -c- sleep 1dimage: busyboxname: podresources: {}- name: proxyimage: ubuntucommand:- sh- -c- 'apt-get update && apt-get install iptables -y && iptables -L && sleep 1d'securityContext:capabilities:add: ["NET_ADMIN"]      dnsPolicy: ClusterFirstrestartPolicy: Always
status: {}root@master:~/cks/securitytext# kubectl -f app.yaml delete --force --grace-period=0
warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "app" force deleted
root@master:~/cks/securitytext# k create -f app.yaml
pod/app createdroot@master:~/cks/securitytext# k get pods
NAME   READY   STATUS    RESTARTS   AGE
app    2/2     Running   0          45sroot@master:~/cks/securitytext# k logs app -c proxy
Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [109 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:3 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [21.7 kB]
Get:4 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [700 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:8 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:9 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [267 kB]
Get:10 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [817 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
root@master:~/cks/securitytext# k logs app -c proxy -f
Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [109 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:3 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [21.7 kB]
Get:4 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [700 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:8 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:9 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [267 kB]
Get:10 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [817 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:13 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [969 kB]
Get:14 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1238 kB]
Get:15 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [299 kB]
Get:16 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [29.7 kB]
Get:17 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [4305 B]
Fetched 17.8 MB in 1min 27s (205 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:libip4tc2 libip6tc2 libmnl0 libnetfilter-conntrack3 libnfnetlink0 libnftnl11libxtables12 netbase
Suggested packages:firewalld kmod nftables
The following NEW packages will be installed:iptables libip4tc2 libip6tc2 libmnl0 libnetfilter-conntrack3 libnfnetlink0libnftnl11 libxtables12 netbase
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 595 kB of archives.
After this operation, 3490 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal/main amd64 libip4tc2 amd64 1.8.4-3ubuntu2 [18.8 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal/main amd64 libmnl0 amd64 1.0.4-2 [12.3 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal/main amd64 libxtables12 amd64 1.8.4-3ubuntu2 [28.4 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal/main amd64 netbase all 6.1 [13.1 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal/main amd64 libip6tc2 amd64 1.8.4-3ubuntu2 [19.2 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal/main amd64 libnfnetlink0 amd64 1.0.1-3build1 [13.8 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal/main amd64 libnetfilter-conntrack3 amd64 1.0.7-2 [41.4 kB]
Get:8 http://archive.ubuntu.com/ubuntu focal/main amd64 libnftnl11 amd64 1.1.5-1 [57.8 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal/main amd64 iptables amd64 1.8.4-3ubuntu2 [390 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 595 kB in 3s (182 kB/s)
Selecting previously unselected package libip4tc2:amd64.
(Reading database ... 4121 files and directories currently installed.)
Preparing to unpack .../0-libip4tc2_1.8.4-3ubuntu2_amd64.deb ...
Unpacking libip4tc2:amd64 (1.8.4-3ubuntu2) ...
Selecting previously unselected package libmnl0:amd64.
Preparing to unpack .../1-libmnl0_1.0.4-2_amd64.deb ...
Unpacking libmnl0:amd64 (1.0.4-2) ...
Selecting previously unselected package libxtables12:amd64.
Preparing to unpack .../2-libxtables12_1.8.4-3ubuntu2_amd64.deb ...
Unpacking libxtables12:amd64 (1.8.4-3ubuntu2) ...
Selecting previously unselected package netbase.
Preparing to unpack .../3-netbase_6.1_all.deb ...
Unpacking netbase (6.1) ...
Selecting previously unselected package libip6tc2:amd64.
Preparing to unpack .../4-libip6tc2_1.8.4-3ubuntu2_amd64.deb ...
Unpacking libip6tc2:amd64 (1.8.4-3ubuntu2) ...
Selecting previously unselected package libnfnetlink0:amd64.
Preparing to unpack .../5-libnfnetlink0_1.0.1-3build1_amd64.deb ...
Unpacking libnfnetlink0:amd64 (1.0.1-3build1) ...
Selecting previously unselected package libnetfilter-conntrack3:amd64.
Preparing to unpack .../6-libnetfilter-conntrack3_1.0.7-2_amd64.deb ...
Unpacking libnetfilter-conntrack3:amd64 (1.0.7-2) ...
Selecting previously unselected package libnftnl11:amd64.
Preparing to unpack .../7-libnftnl11_1.1.5-1_amd64.deb ...
Unpacking libnftnl11:amd64 (1.1.5-1) ...
Selecting previously unselected package iptables.
Preparing to unpack .../8-iptables_1.8.4-3ubuntu2_amd64.deb ...
Unpacking iptables (1.8.4-3ubuntu2) ...
Setting up libip4tc2:amd64 (1.8.4-3ubuntu2) ...
Setting up libip6tc2:amd64 (1.8.4-3ubuntu2) ...
Setting up libmnl0:amd64 (1.0.4-2) ...
Setting up libxtables12:amd64 (1.8.4-3ubuntu2) ...
Setting up libnfnetlink0:amd64 (1.0.1-3build1) ...
Setting up netbase (6.1) ...
Setting up libnftnl11:amd64 (1.1.5-1) ...
Setting up libnetfilter-conntrack3:amd64 (1.0.7-2) ...
Setting up iptables (1.8.4-3ubuntu2) ...
update-alternatives: using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in auto mode
update-alternatives: using /usr/sbin/ip6tables-legacy to provide /usr/sbin/ip6tables (ip6tables) in auto mode
update-alternatives: using /usr/sbin/arptables-nft to provide /usr/sbin/arptables (arptables) in auto mode
update-alternatives: using /usr/sbin/ebtables-nft to provide /usr/sbin/ebtables (ebtables) in auto mode
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Kubernetes CKS 2021 Course【15】---Microservice Vulnerabilities - mTLS相关推荐

  1. SCS【15】细胞交互:受体-配体及其相互作用的细胞通讯数据库 (CellPhoneDB)

    点击关注,桓峰基因 桓峰基因公众号推出单细胞系列教程,有需要生信分析的老师可以联系我们!单细胞系列分析教程整理如下: Topic 6. 克隆进化之 Canopy Topic 7. 克隆进化之 Card ...

  2. python画散点图-从零开始学Python【15】--matplotlib(散点图)

    原标题:从零开始学Python[15]--matplotlib(散点图) 往期matplotlib绘图系列前言 上一期中,我们通过折线图可以快速的发现时间序列的趋势图,当然他不仅仅只能用在时间序列中, ...

  3. 【宋红康 MySQL数据库 】【高级篇】【15】数据库其它调优策略

    持续学习&持续更新中- 学习态度:守破离 [宋红康 MySQL数据库 ][高级篇][15]数据库其它调优策略 数据库调优的措施 调优的目标 如何定位调优问题 调优的维度和步骤 优化MySQL服 ...

  4. 小学一年级语文考试试题【15】

    小学一年级语文考试试题[15] 1.     小学语文一年级下册期中练习卷 2.     小学一年级语文下册综合练习题[人教版新课标] 3.     小学一年级语文下册要求会认的字 4.     小学 ...

  5. Kubernetes ImagePolicyWebhook与ValidatingAdmissionWebhook【3】validating_admission.go源码解析

    文章目录 1. 代码依赖 2. handler的validating_admission.go 2.1 metav1.status是什么? 2.2 admissionReview.Response.R ...

  6. 2021年度【CSDN】硕果累累、满怀期待、新年憧憬

    导读 硕果累累(2021年在CSDN的收获) 满怀期待(对CSDN产品的意见以及建议) 新年憧憬(2022年对CSDN的期望) 用三个部分为大家讲述一下小编我在2021年收获与对2022年的美好憧憬. ...

  7. 【宋红康 MySQL数据库】【基础版】【15】存储过程与存储函数

    文章目录 存储过程与存储函数 定义存储过程与存储函数 对比存储函数和存储过程 存储过程概述 理解 分类 创建存储过程 语法分析 代码举例 调用存储过程 调用格式 代码举例 如何调试 存储函数的使用 语 ...

  8. 【Go语言】【15】GO语言的面向对象

    GO是不是面向对象的语言? GO作者如是说:"是,也不是." 正如前面所说:GO是一种面向类型的语言,它有类型和方法,但没有类的概念,程序员可以用一种面向对象的风格(或者说是方式) ...

  9. 2021年【机械员】通用基础及岗位技能-考试题库及答案(三)

    来源:百分百题库[公众号][小程序] 建筑八大员之机械员考试(安全员)模拟考试及安全员A题库,包含安全员B模拟考试答案解析及安全员C模拟考试系统练习.由[百分百题库]公众号结合国家安全员大纲最新题库, ...

最新文章

  1. 微信小程序bindtap 与 catchtap 是使用
  2. 数据库常用对象概念讲解
  3. 1.16 快速排序法(Quicksort)
  4. IDEA springboot项目中properties配置文件 {针对将对应GBK改为UTF-8并勾选转为ASCII后仍无效情况} 运行时中文乱码解决
  5. 怎么确保网站的可用性
  6. There is no public key available for the following key IDs:3B4FE6ACC0B21F32
  7. 美团点评:摩拜贡献收入15亿元 同期亏损45.5亿元
  8. 如何成为一个优秀的从程序员
  9. java base class,Java; casting base class to derived class
  10. 超准!生活中48条让人匪夷所思的诡秘心理...
  11. jQuery 源码系列(十八)class 相关操作
  12. 【概率论】期望、方差、协方差、相关系数、相关与独立、样本估计量、点估计、区间估计
  13. JavaScript 详解(表单验证,JSON,JS事件,JS函数)
  14. 使用高德开放平台制作个性地图(一)
  15. 废柴日记之国庆特辑:那些年我们一直分不清楚的近义词们②
  16. ZOJ3594 Sexagenary Cycle
  17. 学之思开源考试系统搭建
  18. 【图像修复】基于滤波实现损坏图像修复含Matlab源码
  19. 如何实现图片转化为文字
  20. MATLAB 输入和输出参数

热门文章

  1. matlab中信赖域法,第8讲信赖域方法.ppt
  2. 在 Linux 和 FireWire 上创建自己的 RAC 集群
  3. 教育培训系统,软件行业的“常青藤”
  4. Linux系统centos7安装网卡驱动
  5. 罗技Driving Force GT USB(DFGT)支持DiRT2的另类方法
  6. 如果看待HarmonyOS鸿蒙开闭源的抉择
  7. 不忘初心,智和网管平台在国产化的道路上砥砺前行
  8. 双软件认证的两项税收优惠政策是什么?
  9. 数据库怎么用Java做封面_一个毫无用处的公众号封面生成器
  10. 彻底删除PCTOOLS.DLL文件的方法