1.A new member akshay joined our team. He requires access to our cluster. The Certificate Signing Request is at the /root location. Inspect it
ls
지금 현 경로의 모든 파일을 확인 할 수 있고, 현재 akshy의 csr 파일을 확인 할 수 있음.
2.Create a CertificateSigningRequest object with the name akshay with the contents of the akshay.csr file
As of kubernetes 1.19, the API to use for CSR is certificates.k8s.io/v1.
Please note that an additional field called signerName should also be added when creating CSR. For client authentication to the API server we will use the built-in signer kubernetes.io/kube-apiserver-client.
-
CSR akshay created
-
Right CSR is used
: 문제가 중요한지 유무를 떠나 한번 공부해보면 좋을 것 같고,
구글링 해도 관련 자료가 많지 않아 상세적으로 작성해 봄.
cat akshay.csr | based64 | tr -d "\n"
CSR 의 request에는 base64 로 인코딩된 csr 파일 내용이 들어가야 함.
vi csr.yaml
- yaml 파일을 만든다.
- 아래 URL : k8s docs를 참고해 yaml파일 만들기
- 문제 처럼 akshay의 이름을 넣어주고,
Cat 명령어로 확인한 csr 파일을 spec 하위 request 에 넣어주기
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
Certificate Signing Requests
FEATURE STATE: Kubernetes v1.19 [stable] The Certificates API enables automation of X.509 credential provisioning by providing a programmatic interface for clients of the Kubernetes API to request and obtain X.509 certificates from a Certificate Authority
kubernetes.io
k apply -f csr.yaml
: 해당 파일을 만들어 적용하면 끝
* 구글링이 먼저가 아니라 k8s docs 를 먼저 찾아볼것
3.What is the Condition of the newly created Certificate Signing Request object?
k get csr
A) pending
4. Approve the CSR Request
- CSR Approved
kubectl certificate approve myuser
5.How many CSR requests are available on the cluster?
Including approved and pending
k get csr
A) 2
6.During a routine check you realized that there is a new CSR request in place. What is the name of this request?
k get csr
A) agent-smith
7.Hmmm.. You are not aware of a request coming in. What groups is this CSR requesting access to?
Check the details about the request. Preferebly in YAML.
k get csr/agent-smith -o yaml
A) system:masters
8. That doesn't look very right. Reject that request.( 올바르게 확인이 안되 요청을 거절해라)
- Request Denied
k certificate deny agent-smith
A) ok
9. Let's get rid of it. Delete the new CSR object
- CSR agent-smith deleted
k delete csr agent-smith
k get csr
A) ok
'cloud > k8s(문제풀이)' 카테고리의 다른 글
| [cka]kodekloud-Based Access controls (0) | 2022.06.28 |
|---|---|
| [cka]kodekloud-kubeconfig (마지막문제 ..) (0) | 2022.06.27 |
| [cka]kodekloud-CERTIFICATE DETAILS (0) | 2022.06.27 |
| [cka] kodekloud-Backup and Restore (0) | 2022.06.22 |
| [cka]kodekloud-cluster upgrade process (0) | 2022.06.22 |
