반응형


2023.05.30

★ 새로운 사람이 들어왔다. 그사람을 cluster에 접속할 수 있게 akshay.csr 파일의 내용을 사용하여 이름이 akshay인 CertificateSigningRequest 오브젝트를 생성해보자.

-> 해당 인증서를 base64 값으로 출력한다.

controlplane ~ ➜  cat akshay.csr | base64 -w 0
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXcyeXNFaXUwKzJVMVhzbUtPMUx6WmE4ekp5ZlgxMXhNL3ZlZXVyYmtqcmpFCnNSSEhVei9zWTlRMXA2TUh1U2xjcUFSTU1OVnYvNU9EOUJnZmdlekxIZFluS0dnSGJubDVkZTdud2FsamRDU2UKZ0Z5Vmovamh0L210cFBlc1ZTcU1xRjh2U2dHS2ZoVTRrWG5Fc3BxeXQwREdIRTVQM3NaQ2Vua2cxU3NEajZmagpnK1pvRzUzKzZncnBRSmQzdm1XTDhIN0hhL2xBVXhEa3BRUW9kNGU5REdLeEVJVzFDSE5vcUFTaVRtdWo0d0lyCmRhSWJJMnVKSm1VWGdJN0dPRjd3MkdsZktjRG90VmVzSk5RcFNtVDFQT1JCRS9BQnVCZXY1eGFsVCt5aUNNWHQKWXY1MmZWSkVFN2c5bHZ2SnA2cjMrSTRSbG5iU2Fnek5xL0tiaXNBZDlRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBRFQ4emt4STVPTDIrbHp2T1VsU085UkZ1SGJPMEtEbjhrZkFLdk5LcUxYSFN1VlgrZ2dpClNDNGl0a0pWRCtBVVVJbmhmY2gyU3V3V0I2OTV4bERlRHd1WW0rK0ExY1Ztc3V1VEs3cXVlRkhsaDFpUXR3cUwKTGE5NU4zcHZyUUcyWC9lazhEOC93T0Z4bDF3WDdXakJiWC92RnMzaFBQNzViZVJkbHVZUG13RnZ5UWhRK3lyYQp0SVEwWXdwUUxnQUJQV0VObEtFZUpWeHZxVGtwNHMzWXczVEZ3WThNdUxrSEU3MVFWaDhyZUlTQUVWUGxWdHUzCnhyZ0dOTzgwdDFDN2cxUEJEUWpqZWNEQnFuQm52RHhYNFF1a0xjalpzNHVVTzhubW1lZWdWZm5LQTl5UEcvbk4KdG92STRLRUwvUE5CbSt0UHYvclhqdzl1Zy9kbkQ3V2tkeEU9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
controlplane ~ ➜

-> 출력한 키값을 yaml 파일을 만들어서 저장한다.

controlplane ~ ➜  vi akshay-csr.yaml

controlplane ~ ➜  cat akshay-csr.yaml 
---
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: akshay
spec:
  groups:
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQXcyeXNFaXUwKzJVMVhzbUtPMUx6WmE4ekp5ZlgxMXhNL3ZlZXVyYmtqcmpFCnNSSEhVei9zWTlRMXA2TUh1U2xjcUFSTU1OVnYvNU9EOUJnZmdlekxIZFluS0dnSGJubDVkZTdud2FsamRDU2UKZ0Z5Vmovamh0L210cFBlc1ZTcU1xRjh2U2dHS2ZoVTRrWG5Fc3BxeXQwREdIRTVQM3NaQ2Vua2cxU3NEajZmagpnK1pvRzUzKzZncnBRSmQzdm1XTDhIN0hhL2xBVXhEa3BRUW9kNGU5REdLeEVJVzFDSE5vcUFTaVRtdWo0d0lyCmRhSWJJMnVKSm1VWGdJN0dPRjd3MkdsZktjRG90VmVzSk5RcFNtVDFQT1JCRS9BQnVCZXY1eGFsVCt5aUNNWHQKWXY1MmZWSkVFN2c5bHZ2SnA2cjMrSTRSbG5iU2Fnek5xL0tiaXNBZDlRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBRFQ4emt4STVPTDIrbHp2T1VsU085UkZ1SGJPMEtEbjhrZkFLdk5LcUxYSFN1VlgrZ2dpClNDNGl0a0pWRCtBVVVJbmhmY2gyU3V3V0I2OTV4bERlRHd1WW0rK0ExY1Ztc3V1VEs3cXVlRkhsaDFpUXR3cUwKTGE5NU4zcHZyUUcyWC9lazhEOC93T0Z4bDF3WDdXakJiWC92RnMzaFBQNzViZVJkbHVZUG13RnZ5UWhRK3lyYQp0SVEwWXdwUUxnQUJQV0VObEtFZUpWeHZxVGtwNHMzWXczVEZ3WThNdUxrSEU3MVFWaDhyZUlTQUVWUGxWdHUzCnhyZ0dOTzgwdDFDN2cxUEJEUWpqZWNEQnFuQm52RHhYNFF1a0xjalpzNHVVTzhubW1lZWdWZm5LQTl5UEcvbk4KdG92STRLRUwvUE5CbSt0UHYvclhqdzl1Zy9kbkQ3V2tkeEU9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth

controlplane ~ ➜

-> 저장한 yaml 파일을 생성한다.

controlplane ~ ➜  kubectl apply -f akshay-csr.yaml 
certificatesigningrequest.certificates.k8s.io/akshay created

controlplane ~ ➜

 

 

★ 새로 만든 인증서 서명 요청 개체의 상태는 어떤인가요?

-> Pending

controlplane ~ ➜  kubectl get csr
NAME        AGE    SIGNERNAME                                    REQUESTOR                  REQUESTEDDURATION   CONDITION
akshay      118s   kubernetes.io/kube-apiserver-client           kubernetes-admin           <none>              Pending
csr-gwpnt   18m    kubernetes.io/kube-apiserver-client-kubelet   system:node:controlplane   <none>              Approved,Issued

controlplane ~ ➜

 

 

★ CSR 요청을 승인해 주세요.

controlplane ~ ➜  kubectl certificate approve akshay
certificatesigningrequest.certificates.k8s.io/akshay approved

controlplane ~ ➜ 
controlplane ~ ➜  kubectl get csr
NAME        AGE     SIGNERNAME                                    REQUESTOR                  REQUESTEDDURATION   CONDITION
akshay      4m19s   kubernetes.io/kube-apiserver-client           kubernetes-admin           <none>              Approved,Issued
csr-gwpnt   20m     kubernetes.io/kube-apiserver-client-kubelet   system:node:controlplane   <none>              Approved,Issued

controlplane ~ ➜

 

 

★ CSR 승인요청이 왔습니다. 어떤 그룹에 대한 액세스를 요청하는 CSR인가요?

-> 이름 : agent-smith

controlplane ~ ➜  kubectl get csr
NAME          AGE     SIGNERNAME                                    REQUESTOR                  REQUESTEDDURATION   CONDITION
agent-smith   15s     kubernetes.io/kube-apiserver-client           agent-x                    <none>              Pending
akshay        5m35s   kubernetes.io/kube-apiserver-client           kubernetes-admin           <none>              Approved,Issued
csr-gwpnt     21m     kubernetes.io/kube-apiserver-client-kubelet   system:node:controlplane   <none>              Approved,Issued

controlplane ~ ➜

-> 그룹 : system:masters

controlplane ~ ➜  kubectl get csr agent-smith -o yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  creationTimestamp: "2023-05-30T13:13:51Z"
  name: agent-smith
  resourceVersion: "2115"
  uid: b1aad5d7-ec17-468a-b157-b36bf328ed60
spec:
  groups:
  - system:masters
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1dEQ0NBVUFDQVFBd0V6RVJNQThHQTFVRUF3d0libVYzTFhWelpYSXdnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRE8wV0pXK0RYc0FKU0lyanBObzV2UklCcGxuemcrNnhjOStVVndrS2kwCkxmQzI3dCsxZUVuT041TXVxOTlOZXZtTUVPbnJEVU8vdGh5VnFQMncyWE5JRFJYall5RjQwRmJtRCs1eld5Q0sKeTNCaWhoQjkzTUo3T3FsM1VUdlo4VEVMcXlhRGtuUmwvanYvU3hnWGtvazBBQlVUcFdNeDRCcFNpS2IwVSt0RQpJRjVueEF0dE1Wa0RQUTdOYmVaUkc0M2IrUVdsVkdSL3o2RFdPZkpuYmZlek90YUF5ZEdMVFpGQy93VHB6NTJrCkVjQ1hBd3FDaGpCTGt6MkJIUFI0Sjg5RDZYYjhrMzlwdTZqcHluZ1Y2dVAwdEliT3pwcU52MFkwcWRFWnB3bXcKajJxRUwraFpFV2trRno4MGxOTnR5VDVMeE1xRU5EQ25JZ3dDNEdaaVJHYnJBZ01CQUFHZ0FEQU5CZ2txaGtpRwo5dzBCQVFzRkFBT0NBUUVBUzlpUzZDMXV4VHVmNUJCWVNVN1FGUUhVemFsTnhBZFlzYU9SUlFOd0had0hxR2k0CmhPSzRhMnp5TnlpNDRPT2lqeWFENnRVVzhEU3hrcjhCTEs4S2czc3JSRXRKcWw1ckxaeTlMUlZyc0pnaEQ0Z1kKUDlOTCthRFJTeFJPVlNxQmFCMm5XZVlwTTVjSjVURjUzbGVzTlNOTUxRMisrUk1uakRRSjdqdVBFaWM4L2RoawpXcjJFVU02VWF3enlrcmRISW13VHYybWxNWTBSK0ROdFYxWWllKzBIOS9ZRWx0K0ZTR2poNUw1WVV2STFEcWl5CjRsM0UveTNxTDcxV2ZBY3VIM09zVnBVVW5RSVNNZFFzMHFXQ3NiRTU2Q0M1RGhQR1pJcFVibktVcEF3a2ErOEUKdndRMDdqRytocGtueG11RkFlWHhnVXdvZEFMYUo3anUvVERJY3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - digital signature
  - key encipherment
  - server auth
  username: agent-x
status: {}

controlplane ~ ➜

 

 

★ CSR 승인을 거절하세요.

-> kubectl certificate deny agent-smith

controlplane ~ ➜  kubectl certificate deny agent-smith
certificatesigningrequest.certificates.k8s.io/agent-smith denied

controlplane ~ ➜  kubectl get csr
NAME          AGE     SIGNERNAME                                    REQUESTOR                  REQUESTEDDURATION   CONDITION
agent-smith   6m21s   kubernetes.io/kube-apiserver-client           agent-x                    <none>              Denied
akshay        11m     kubernetes.io/kube-apiserver-client           kubernetes-admin           <none>              Approved,Issued
csr-gwpnt     27m     kubernetes.io/kube-apiserver-client-kubelet   system:node:controlplane   <none>              Approved,Issued

controlplane ~ ➜

 

 

★ CSR 요청을 삭제하세요.

-> kubectl delete csr agent-smith

controlplane ~ ➜  kubectl delete csr agent-smith 
certificatesigningrequest.certificates.k8s.io "agent-smith" deleted

controlplane ~ ➜  kubectl get csr
NAME        AGE   SIGNERNAME                                    REQUESTOR                  REQUESTEDDURATION   CONDITION
akshay      13m   kubernetes.io/kube-apiserver-client           kubernetes-admin           <none>              Approved,Issued
csr-gwpnt   29m   kubernetes.io/kube-apiserver-client-kubelet   system:node:controlplane   <none>              Approved,Issued

controlplane ~ ➜
반응형
저작자표시

'Kubernetes > Kubernetes Exam' 카테고리의 다른 글

[K8s] CKA 취득 연습문제#8 (role, rolebinding)  (0) 2023.06.06
[K8s] CKA 취득 연습문제#7 (kubeconfig view)  (0) 2023.05.30
[K8s] CKA 취득 연습문제#5 (etcd, apiserver 인증서)  (0) 2023.05.29
[K8s] CKA 취득 연습문제#4 (etcd backup, recovery)  (0) 2023.05.24
[K8s] CKA 취득 연습문제#3 (etcd backup, snapshot)  (0) 2023.05.20
반응형

 

 

Pod 구성하는 YAML 파일 생성

# pod 생성하는 YAML 파일 생성
master@master:~$ cat jinsunginx.yaml 
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: jinsunginx
  name: jinsunginx
spec:
  containers:
  - name: nginx
    image: nginx
master@master:~$

 

 

YAML 파일로 Pod 생성

# YAML 파일로 Pod 생성
master@master:~$ kubectl apply -f jinsunginx.yaml 
pod/jinsunginx created
master@master:~$


# 생성한 Pod 확인
master@master:~$ kubectl get pod jinsunginx -oyaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"labels":{"run":"jinsunginx"},"name":"jinsunginx","namespace":"default"},"spec":{"containers":[{"image":"nginx","name":"nginx"}]}}
  creationTimestamp: "2022-08-07T06:26:05Z"
  labels:
    run: jinsunginx
  name: jinsunginx
  namespace: default
  resourceVersion: "5061"
  selfLink: /api/v1/namespaces/default/pods/jinsunginx
  uid: 40941481-58b6-4684-8cce-7dd2dd84653b
spec:
  containers:
  - image: nginx
    imagePullPolicy: Always
    name: nginx
    resources: {}
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: default-token-g8wm6
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  nodeName: master
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: default
  serviceAccountName: default
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - name: default-token-g8wm6
    secret:
      defaultMode: 420
      secretName: default-token-g8wm6
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2022-08-07T06:26:05Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2022-08-07T06:26:09Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2022-08-07T06:26:09Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2022-08-07T06:26:05Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: docker://101279274be74990989e719696b2853cc3b5da4c382a78f4e738aa9bbb14f4e3
    image: nginx:latest
    imageID: docker-pullable://nginx@sha256:ecc068890de55a75f1a32cc8063e79f90f0b043d70c5fcf28f1713395a4b3d49
    lastState: {}
    name: nginx
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2022-08-07T06:26:09Z"
  hostIP: 192.168.0.201
  phase: Running
  podIP: 10.42.0.6
  podIPs:
  - ip: 10.42.0.6
  qosClass: BestEffort
  startTime: "2022-08-07T06:26:05Z"
master@master:~$

 

 

Kubectl run명령으로 yaml 파일 생성

  • 커맨드는 서비스에 대한 구성을 생성하지만, 이를 kube-apiserver에 전송하는 대신 YAML 형식으로 stdout에 출력한다.
kubectl run redis --image=redis --dry-run=client -o yaml > redis.yaml

cat redis.yaml

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: redis
  name: redis
spec:
  containers:
  - image: redis
    name: redis
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

 

 

즉석 리소스 생성

# 즉시 리소스 생성
master@master:~$ cat << EOF | kubectl apply -f -
> apiVersion: v1
> kind: Pod
> metadata:
>   labels:
>     run: jinsunginx
>   name: jinsunginx
> spec:
>   containers:
>   - name: nginx
>     image: nginx
>     ports:
>     - containerPort: 80
> EOF
pod/jinsunginx created
master@master:~$

# 상태 확인
master@master:~$ kubectl get pod
NAME         READY   STATUS    RESTARTS   AGE
jinsunginx   1/1     Running   0          15s
master@master:~$ kubectl get pod jinsunginx -oyaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"labels":{"run":"jinsunginx"},"name":"jinsunginx","namespace":"default"},"spec":{"containers":[{"image":"nginx","name":"nginx","ports":[{"containerPort":80}]}]}}
  creationTimestamp: "2022-08-07T07:03:01Z"
  labels:
    run: jinsunginx
  name: jinsunginx
  namespace: default
  resourceVersion: "6649"
  selfLink: /api/v1/namespaces/default/pods/jinsunginx
  uid: fd90af8b-8d3d-40fb-bd3c-7ac553728cc5
spec:
  containers:
  - image: nginx
    imagePullPolicy: Always
    name: nginx
    ports:
    - containerPort: 80
      protocol: TCP
    resources: {}
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: default-token-g8wm6
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  nodeName: master
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: default
  serviceAccountName: default
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - name: default-token-g8wm6
    secret:
      defaultMode: 420
      secretName: default-token-g8wm6
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2022-08-07T07:03:01Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2022-08-07T07:03:06Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2022-08-07T07:03:06Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2022-08-07T07:03:01Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: docker://aeab365d5f8ea73911e2218105f0194825748ae244cd377a718e68d78cae7557
    image: nginx:latest
    imageID: docker-pullable://nginx@sha256:ecc068890de55a75f1a32cc8063e79f90f0b043d70c5fcf28f1713395a4b3d49
    lastState: {}
    name: nginx
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2022-08-07T07:03:05Z"
  hostIP: 192.168.0.201
  phase: Running
  podIP: 10.42.0.8
  podIPs:
  - ip: 10.42.0.8
  qosClass: BestEffort
  startTime: "2022-08-07T07:03:01Z"
master@master:~$

 

 

 

 

 

 

 

반응형
저작자표시

'Kubernetes' 카테고리의 다른 글

[K8S] 쿠버네티스 - 볼륨(volume)  (0) 2022.08.07
[K8S] 쿠버네티스 - 라벨(label), 셀렉터 시스템  (0) 2022.08.07
[K8S] 쿠버네티스 - k3s 구성  (0) 2022.08.07
[K8S] 쿠버네티스 - k3s 명령어  (0) 2022.08.07
[K8S] 쿠버네티스 - Pod 구성  (0) 2022.08.07

+ Recent posts

티스토리툴바