controlplane ~ ➜ kubectl get role
NAME CREATED AT
developer 2023-06-06T06:23:29Z
controlplane ~ ➜
controlplane ~ ➜ kubectl get rolebindings
NAME ROLE AGE
dev-user-binding Role/developer 63s
controlplane ~ ➜
★ 현재 컨텍스트를 연구로 설정한 상태에서 클러스터에 액세스하려고 합니다. 그러나 뭔가 잘못된 것 같습니다. 문제를 식별하고 수정하세요.
-> pod를 확인하려는데 오류 발생 (사용자 인증서를 읽을 수 없음)
controlplane ~ ➜ kubectl get pods
error: unable to read client-cert /etc/kubernetes/pki/users/dev-user/developer-user.crt for dev-user due to open /etc/kubernetes/pki/users/dev-user/developer-user.crt: no such file or directory
controlplane ~ ✖
controlplane ~ ➜ openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8483000120492181273 (0x75b9abaa2b884719)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: May 29 11:43:33 2023 GMT
Not After : May 28 11:43:33 2024 GMT
Subject: CN = kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
...
★ Kube-apiserver 인증서를 발급한 CA의 이름은 무엇인가요?
-> Issuer: CN = kubernetes
controlplane ~ ➜ openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8483000120492181273 (0x75b9abaa2b884719)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: May 29 11:43:33 2023 GMT
Not After : May 28 11:43:33 2024 GMT
Subject: CN = kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
...
★ Kube-apiserver 인증서에 구성된 대체 이름은 무엇인가요?
-> DNS:controlplane, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.26.249.9
controlplane ~ ➜ openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8483000120492181273 (0x75b9abaa2b884719)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: May 29 11:43:33 2023 GMT
Not After : May 28 11:43:33 2024 GMT
Subject: CN = kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a3:2f:ff:75:ed:b2:38:74:01:f9:b1:41:51:aa:
f5:bb:9a:39:02:46:c2:5b:05:b1:0e:8f:75:9b:46:
18:a5:35:52:2f:2d:22:3b:fe:37:e3:ea:98:32:c5:
79:b4:2d:1b:f2:67:cd:f6:7d:4e:fa:e8:a0:69:b4:
4b:c8:25:46:20:4b:ad:69:dd:fa:63:56:b4:5c:4f:
ce:b7:28:bb:43:de:59:5f:c6:e7:c7:16:08:11:cf:
28:b2:4a:7f:20:74:3d:f4:53:6a:b6:33:37:25:98:
3e:a7:02:56:da:1b:75:7a:39:bd:0a:31:d5:26:cb:
30:8b:3d:bf:a5:58:48:8c:a8:5d:b4:eb:51:0d:72:
52:32:85:60:0d:56:2f:46:3c:65:90:4a:9b:a3:01:
b3:d9:01:b2:d9:ea:70:68:38:49:d5:1a:29:9f:52:
b8:54:72:71:0c:4a:88:4b:73:63:6f:05:a0:b6:23:
03:31:12:be:c3:cf:6c:b7:2b:e6:4e:50:a1:1b:7f:
ab:2a:ba:5f:92:16:3d:4c:ac:d8:02:11:78:8b:bf:
4e:43:3b:e5:0c:57:fb:6f:8a:81:ef:51:7e:a3:92:
2a:de:2b:96:ae:95:2e:dc:e3:97:ce:c7:af:8d:42:
67:2c:6a:3a:fa:fa:67:79:d2:14:52:47:eb:65:ca:
53:af
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:AB:7D:E2:A1:2C:F0:E0:27:53:52:72:D8:C9:46:76:09:F8:77:0D:63
X509v3 Subject Alternative Name:
DNS:controlplane, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.26.249.9
★ etcd server 인증서에 구성된 CN은 무엇인가요?
-> Subject: CN = controlplane
controlplane ~ ➜ openssl x509 -in /etc/kubernetes/pki/etcd/server.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 253720388574558331 (0x38565596142b87b)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = etcd-ca
Validity
Not Before: May 29 11:43:34 2023 GMT
Not After : May 28 11:43:34 2024 GMT
Subject: CN = controlplane
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
...
★ etcd server 인증서는 발급일로부터 얼마 동안 유효하나요?
-> 1 years
controlplane ~ ➜ openssl x509 -in /etc/kubernetes/pki/etcd/server.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 253720388574558331 (0x38565596142b87b)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = etcd-ca
Validity
Not Before: May 29 11:43:34 2023 GMT
Not After : May 28 11:43:34 2024 GMT
Subject: CN = controlplane
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
...
★ etcd server ca인증서는 발급일로부터 얼마 동안 유효하나요?
-> 10 years
controlplane ~ ➜ openssl x509 -in /etc/kubernetes/pki/ca.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: May 29 11:43:33 2023 GMT
Not After : May 26 11:43:33 2033 GMT
Subject: CN = kubernetes
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
...
student-node ~ ➜ kubectl get nodes
NAME STATUS ROLES AGE VERSION
cluster1-controlplane Ready control-plane 39m v1.24.0
cluster1-node01 Ready <none> 39m v1.24.0
> cluster2 안에 있는 node 2개 확인
student-node ~ ➜ kubectl config use-context cluster2
Switched to context "cluster2".
student-node ~ ➜
student-node ~ ➜ kubectl get nodes
NAME STATUS ROLES AGE VERSION
cluster2-controlplane Ready control-plane 43m v1.24.0
cluster2-node01 Ready <none> 42m v1.24.0
student-node ~ ➜
★ 여러개의 Cluster가 존재한다. 그 안에 node에 ssh로 접속하시오.
student-node ~ ➜ kubectl get nodes
NAME STATUS ROLES AGE VERSION
cluster1-controlplane Ready control-plane 44m v1.24.0
cluster1-node01 Ready <none> 44m v1.24.0
student-node ~ ➜ ssh cluster1-controlplane
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 5.4.0-1105-gcp x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
cluster1-controlplane ~ ➜
cluster1-controlplane ~ ➜ logout
Connection to cluster1-controlplane closed.
student-node ~ ➜
student-node ~ ➜ kubectl get nodes
NAME STATUS ROLES AGE VERSION
cluster1-controlplane Ready control-plane 100m v1.24.0
cluster1-node01 Ready <none> 99m v1.24.0
student-node ~ ➜
> cluster1-controlplane에 들어간다.
student-node ~ ➜ ssh cluster1-controlplane
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 5.4.0-1105-gcp x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
cluster1-controlplane ~ ➜
> etcd 노드가 있는지 확인한다.
cluster1-controlplane ~ ➜ kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-6d4b75cb6d-bfgs9 1/1 Running 0 100m
kube-system coredns-6d4b75cb6d-lftbq 1/1 Running 0 100m
kube-system etcd-cluster1-controlplane 1/1 Running 0 101m
kube-system kube-apiserver-cluster1-controlplane 1/1 Running 0 100m
kube-system kube-controller-manager-cluster1-controlplane 1/1 Running 0 100m
kube-system kube-proxy-45kft 1/1 Running 0 100m
kube-system kube-proxy-qmxkh 1/1 Running 0 100m
kube-system kube-scheduler-cluster1-controlplane 1/1 Running 0 100m
kube-system weave-net-fwvfd 2/2 Running 0 100m
kube-system weave-net-h9tg4 2/2 Running 1 (100m ago) 100m
cluster1-controlplane ~ ➜
student-node ~ ➜ ssh cluster2-controlplane
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 5.4.0-1105-gcp x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Sat May 27 11:31:10 2023 from 192.12.169.22
cluster2-controlplane ~ ➜
student-node ~ ➜ ssh 192.12.169.15
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 5.4.0-1105-gcp x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
etcd-server ~ ➜
student-node ~ ➜ ssh 192.13.240.15
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 5.4.0-1105-gcp x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Sat May 27 12:20:19 2023 from 192.13.240.21
etcd-server ~ ➜
> etcd-server에서 복원하는거니 127.0.0.1 사용, 인증서는 기본 사용, 데이터 경로는 /var/lib/etcd-data-new 사용
controlplane ~ ➜ kubectl get nodes
NAME STATUS ROLES AGE VERSION
controlplane Ready control-plane 116m v1.25.0
node01 Ready <none> 116m v1.25.0
controlplane ~ ➜
★ 클러스터를 업그레이드하는 작업을 수행해야 합니다. 애플리케이션에 접속하는 사용자에게 영향을 미치지 않아야 하며 새 VM을 프로비저닝할 수 없습니다. 클러스터를 업그레이드하기 위해 어떤 방법을 사용하시겠습니까?
-> Worker node를 다른 노드로 이동하면서 한 번에 한 노드씩 업그레이드
★ 현재 쿠버네티스의 안정적인 최신 버전은 무엇인가요?
-> v1.27.2
controlplane ~ ➜ kubeadm upgrade plan
[upgrade/config] Making sure the configuration is correct:
[upgrade/config] Reading configuration from the cluster...
[upgrade/config] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[preflight] Running pre-flight checks.
[upgrade] Running cluster health checks
[upgrade] Fetching available versions to upgrade to
[upgrade/versions] Cluster version: v1.25.0
[upgrade/versions] kubeadm version: v1.25.0
I0519 23:10:12.713401 17274 version.go:256] remote version is much newer: v1.27.2; falling back to: stable-1.25
[upgrade/versions] Target version: v1.25.10
[upgrade/versions] Latest version in the v1.25 series: v1.25.10
★ 현재 버전의 kubeadm 도구가 설치된 상태에서 업그레이드할 수 있는 최신 버전은 무엇인가요?
-> v1.25.10
controlplane ~ ➜ kubeadm upgrade plan
[upgrade/config] Making sure the configuration is correct:
[upgrade/config] Reading configuration from the cluster...
[upgrade/config] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[preflight] Running pre-flight checks.
[upgrade] Running cluster health checks
[upgrade] Fetching available versions to upgrade to
[upgrade/versions] Cluster version: v1.25.0
[upgrade/versions] kubeadm version: v1.25.0
I0519 23:10:12.713401 17274 version.go:256] remote version is much newer: v1.27.2; falling back to: stable-1.25
[upgrade/versions] Target version: v1.25.10
[upgrade/versions] Latest version in the v1.25 series: v1.25.10
Components that must be upgraded manually after you have upgraded the control plane with 'kubeadm upgrade apply':
COMPONENT CURRENT TARGET
kubelet 2 x v1.25.0 v1.25.10
Upgrade to the latest version in the v1.25 series:
COMPONENT CURRENT TARGET
kube-apiserver v1.25.0 v1.25.10
kube-controller-manager v1.25.0 v1.25.10
kube-scheduler v1.25.0 v1.25.10
kube-proxy v1.25.0 v1.25.10
CoreDNS v1.9.3 v1.9.3
etcd 3.5.4-0 3.5.4-0
You can now apply the upgrade by executing the following command:
kubeadm upgrade apply v1.25.10
Note: Before you can perform this upgrade, you have to update kubeadm to v1.25.10.
controlplane ~ ➜ kubectl get nodes
NAME STATUS ROLES AGE VERSION
controlplane Ready control-plane 17m v1.26.0
node01 Ready <none> 17m v1.26.0
controlplane ~ ➜
★ namespace가 default인 deploy를 찾아라
controlplane ~ ➜ kubectl get deployments.apps --namespace default
NAME READY UP-TO-DATE AVAILABLE AGE
blue 3/3 3 3 33s
controlplane ~ ➜
★ node관리를 위해 node01을 제거해야 한다. 애플리케이션의 노드를 비우고 예약 불가능으로 표시해주세요.
방화벽 기본 설정값과 IPSec에 사용하는 설정값이 들어있다.
(config)# security parameters
방화벽이 기본 Drop 상태일 때 Drop된 Session 로그 기록시 설정
(config)# audit-default-dropped
방화벽 출발지 IP별 Session 제한 값을 설정
(config)# session-limit 100000
NexG-UTM 장비는 Default Drop을 기본 정책이므로 기본 정책이 필요
Local out : UTM 장비 자체에서 패킷이 생성되어 나가는 패킷은 모두 허용됨
DHCP Server에서 사용하는 포트 오픈
(config)# ip rule 16
(config-ip-rule)# description DHCP Server
(config-ip-rule)# source any
(config-ip-rule)# destination any
(config-ip-rule)# protocol udp sport eq 68 dport eq 67
(config-ip-rule)# policy pass
(config-ip-rule)# log connections
(config-ip-rule)# enable
OSPF에서 사용하는 프로토콜 오픈
(config)# ip rule 17
(config-ip-rule)# description Connect Local OSPF
(config-ip-rule)# source any
(config-ip-rule)# destination any
(config-ip-rule)# protocol ospfigp
(config-ip-rule)# inbound interface eth0
(config-ip-rule)# policy pass
(config-ip-rule)# enable
객체 관리
Network-list 설정
방화벽 Rule, PBR(Source, Destination)부분 객체 적용 가능.
(config)# network-list [network-list name] [ip address] description [name]
IP 한 개의 Host 객체 생성
(config)# network-list local 192.168.1.100/32 description Server-1
(config)# network-list local 192.168.1.200/32 description User-1
0 ~ 255번 까지의 IP 목록
(config)# network-list server 10.10.10.0/24
1 ~ 10번 까지의 IP 목록
(config)# network-list test 192.168.1.1 192.168.1.10
11 ~ 15번 까지의 IP 목록
(config)# network-list test 192.168.1.11 192.168.1.15
객체 변경 수정 발생시 Rule 다시 적용, Network-list 객체 개수 제한 없음.
생성한 Network-list 객체 rule 적용 설정
(config)# ip rule 100
(config-ip-rule)# source network-list test
(config-ip-rule)# source network-list local
(config-ip-rule)# destination network-list server
(config-ip-rule)# policy pass
(config-ip-rule)# enable
Service-list 설정
다양한 프로토콜 선택 가능, 객체 개수 제한 없음, 룰별 여러 객체 적용 가능
service-list 객체에 기본적으로 사용할 수 있는 프로토콜 이름이 있다
프로토콜 이름이 없는경우 번호를 입력
service-list 객체 생성 예시
(config)# service-list test icmp
(config)# service-list test tcp sport any dport eq 80 description http
(config)# service-list test udp sport any dport eq 53 description dns
service-list 객체 적용 예시
(config)# ip rule 100
(config-ip-rule)# source network-list local
(config-ip-rule)# destination network-list server
(config-ip-rule)# service-list test
(config-ip-rule)# policy pass
(config-ip-rule)# enable