#1 Creating Certificate for John:

$ openssl genrsa -out john.key 2048
$ openssl req -new -key john.key -subj “/CN=john/O=developers” -out john.csr

#2 Create CertificateSigningRequest.

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: john
spec:
groups:
— system:authenticated
request: $(cat john.csr | base64 | tr -d ‘\n’)
signerName: kubernetes.io/kube-apiserver-client
usages…

Function of Admission controller:-

  • Help us implement better security measures.
  • Perform additional operations before the pods gets created.
  • Validate configuration.

Admission controllers limit requests to create, delete, modify or connect to (proxy). They do not support read requests.

How do I turn on an admission controller?

The Kubernetes API server flag enable-admission-plugins takes a comma-delimited list of admission…

SECCOM — Stands for secure computing.

It’s a mechanism to restrict system calls that a process may make.

  • Reduces attack surface of kernel.
  • A key component for building application sandboxes.

In current digital era where every service is going online like— Ecommerce sites, Banking, Payments and many other similar services. Security has become primary concerns, so it’s important to secure the online sites with best security practices. …

# Download binary from Internet using curl utility:
$ curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.4.0/kube-bench_0.4.0_linux_amd64.tar.gz -o kube-bench_0.4.0_linux_amd64.tar.gz
# Extract Tar File.
$ tar -xvf kube-bench_0.4.0_linux_amd64.tar.gz
# Sed search and replace String.
$ sed -i 's/SEARCH_REGEX/REPLACEMENT/g' <InputFile>
#
To make the pattern match case insensitive, use the I flag
$ sed -i 's/me/you/gI' <Inputfile.txt>
#find and replace a string that contains the delimiter character (/) you’ll need to use the backslash (\) to escape the slash.
$ sed -i 's/\/bin\/bash/\/usr\/bin\/zsh/g' <Inputfile.txt>
#
K8s Security

Security is always a primary concern for any organization as it can causes heavy damage or loss if compromised. Not only it damages the organization brand and values, but also loss customer trusts. Therefore, securing the systems is always put on highest priority by implementing the best practices and placing proper shields(tools) and remediating the critical vulnerabilities or system loop holes in time(Proactive manner).

As we all know, kubernetes has become the de-facto tool for container orchestration. Kubernetes is complex tool, securing the environment requires considering the different layers and components, be it kubernetes own component, the OS infrastructure, the Network layer or cloud provider.

Some of the important VI editor commands.

#1 To perform a global search and replace in vi, use the search and replace command in command mode:

:%s/search_string/replacement_string/gThe % is a shortcut that tells vi to search all lines of the file for search_string and change it to replacement_string. The global (g) flag at the end of the command tells vi to continue searching for other occurrences of search_string

Kubernetes clusters are accessed by application, processes or normal human users. As such, kubernetes don’t have in-built function to create users or manager users. The user authentication is managed using certificate. So, for any user to access the kubernetes cluster, a certificate needs to be created.

How do normal users get access to kubernetes cluster?

For a normal user to be able to authenticate and invoke an API. 
1. User must have certificate issued by the Kubernetes cluster.
2. Then present that certificate to the Kubernetes API.
# Create private Key:

In RBAC authorization mode we have discussed Role & Rolebinding are namespaced. Meaning they are created within namespace , if not specified they are created under default namespace.

Generally, namespace helps in grouping and isolating the resources — like POD , Deployment , services and Replicaset etc. However, there are…

Khemnath chauhan

Stay hungry; Stay Foolish!!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store