Upgrade to Pro — share decks privately, control downloads, hide ads and more …

學習 Kubernetes 不是為了成為 YAML Engineer

Kyle Bai
August 01, 2020

學習 Kubernetes 不是為了成為 YAML Engineer

Kyle Bai

August 01, 2020
Tweet

More Decks by Kyle Bai

Other Decks in Technology

Transcript

  1. @k2r2bai About Me ⽩凱仁(Kyle Bai) • Site Reliability Engineer at

    AMIS/MaiCoin • Co-organizer of Cloud Native Taiwan User Group. • Interested in emerging technologies. • Contributor to multiple OSS. • Top 3 Kubernetes contributor in Taiwan kairen k2r2bai.com https://k8s.devstats.cncf.io
  2. @k2r2bai Kubernetes • Container orchestration • Self-healing • Horizontal scaling

    • Service discovery and Load balancing • Automated rollouts and rollbacks • Secrets and conTguration management • Storage orchestration
  3. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF
  4. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml
  5. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer
  6. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port>
  7. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port> curl: (7) Failed to connect to <IP> port <port>: Network is unreachable P.S. 雖然有徵求本⼈同意張貼,但還是需要保護當事⼈
  8. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port> curl: (7) Failed to connect to <IP> port <port>: Network is unreachable $ kubectl logs -f test-pod
  9. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port> curl: (7) Failed to connect to <IP> port <port>: Network is unreachable $ kubectl logs -f test-pod $ kubectl exec -ti test-pod sh
  10. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port> curl: (7) Failed to connect to <IP> port <port>: Network is unreachable $ kubectl logs -f test-pod $ kubectl exec -ti test-pod sh $ kubectl port-forward service/test-pod 80:8080
  11. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port> curl: (7) Failed to connect to <IP> port <port>: Network is unreachable $ kubectl logs -f test-pod $ kubectl exec -ti test-pod sh $ kubectl port-forward service/test-pod 80:8080 #找不出問題 #像極了愛情
  12. @k2r2bai A suspicious Kubeflow image was seen deployed to thousands

    of clusters in April, all from a single public repository. Closer inspection showed that the image runs a common open-source cryptojacking malware that mines the Monero virtual currency, known as XMRIG. Misconfigured Kubeflow workloads are a security risk hMps://bit.ly/2NI7Q0A
  13. @k2r2bai CVE-2019-14271 marks a security issue in the implementation of

    the Docker cp command that can lead to full container escape when exploited by an attacker. CVE-2019-14271 hMps://bit.ly/2VwF6Mr hMps://www.anquanke.com/post/id/193218
  14. @k2r2bai Allows attackers to overwrite the host runc binary (and

    consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: • A new container with an attacker-controlled image. • An existing container, to which the attacker previously had write access, that can be attached with docker exec. CVE-2019-5736 hMps://www.cvedetails.com/cve/CVE-2019-5736/
  15. @k2r2bai • https://github.com/shubheksha/kubernetes-internals • https://github.com/daniel-hutao/k8s-source-code-analysis • https://github.com/kelseyhightower/kubernetes-the-hard-way • https://github.com/kubernetes/kubeadm/tree/master/docs/design •

    https://github.com/kubernetes/enhancements • https://github.com/containernetworking/cni/blob/master/SPEC.md • https://github.com/hwchiu/ithome-2020ironman Kubernetes