diff --git a/slides/k8s/control-plane-auth.md b/slides/k8s/control-plane-auth.md index aee2f651..ec95e612 100644 --- a/slides/k8s/control-plane-auth.md +++ b/slides/k8s/control-plane-auth.md @@ -92,6 +92,29 @@ --- +## etcd authorization + +- etcd supports RBAC, but Kubernetes doesn't use it by default + + (note: etcd RBAC is completely different from Kubernetes RBAC!) + +- By default, etcd access is "all or nothing" + + (if you have a valid certificate, you get in) + +- Be very careful if you use the same root CA for etcd and other things + + (if etcd trusts the root CA, then anyone with a valid cert gets full etcd access) + +- For more details, check the following resources: + + - [etcd documentation on authentication](https://etcd.io/docs/current/op-guide/authentication/) + + - [PKI The Wrong Way](https://www.youtube.com/watch?v=gcOLDEzsVHI) at KubeCon NA 2020 + +--- + + ## API server clients - The API server has a sophisticated authentication and authorization system diff --git a/slides/k8s/kyverno.md b/slides/k8s/kyverno.md index 83403caa..06cad7b1 100644 --- a/slides/k8s/kyverno.md +++ b/slides/k8s/kyverno.md @@ -321,9 +321,9 @@ class: extra-details - Try to apply a few color labels: ```bash - kubectl label test-color-2 color=purple - kubectl label test-color-2 color=red - kubectl label test-color-2 color=blue --overwrite + kubectl label pod test-color-2 color=purple + kubectl label pod test-color-2 color=red + kubectl label pod test-color-2 color=blue --overwrite ``` ] @@ -432,9 +432,9 @@ class: extra-details - Try to apply a few color labels: ```bash - kubectl label test-color-3 color=purple - kubectl label test-color-3 color=red - kubectl label test-color-3 color- + kubectl label pod test-color-3 color=purple + kubectl label pod test-color-3 color=red + kubectl label pod test-color-3 color- ``` ] diff --git a/slides/k8s/netpol.md b/slides/k8s/netpol.md index f92148cf..0ee5de8c 100644 --- a/slides/k8s/netpol.md +++ b/slides/k8s/netpol.md @@ -427,26 +427,34 @@ troubleshoot easily, without having to poke holes in our firewall. --- -## Further resources +## Tools and resources -- As always, the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/) is a good starting point +- [Cilium Network Policy Editor](https://editor.cilium.io/) -- The API documentation has a lot of detail about the format of various objects: +- [Tufin Network Policy Viewer](https://orca.tufin.io/netpol/) - - [NetworkPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#networkpolicy-v1-networking-k8s-io) - - - [NetworkPolicySpec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#networkpolicyspec-v1-networking-k8s-io) - - - [NetworkPolicyIngressRule](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#networkpolicyingressrule-v1-networking-k8s-io) - - - etc. - -- And two resources by [Ahmet Alp Balkan](https://ahmet.im/): +- Two resources by [Ahmet Alp Balkan](https://ahmet.im/): - a [very good talk about network policies](https://www.youtube.com/watch?list=PLj6h78yzYM2P-3-xqvmWaZbbI1sW-ulZb&v=3gGpMmYeEO8) at KubeCon North America 2017 - a repository of [ready-to-use recipes](https://github.com/ahmetb/kubernetes-network-policy-recipes) for network policies +--- + +## Documentation + +- As always, the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/) is a good starting point + +- The API documentation has a lot of detail about the format of various objects: + + - [NetworkPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#networkpolicy-v1-networking-k8s-io) + + - [NetworkPolicySpec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#networkpolicyspec-v1-networking-k8s-io) + + - [NetworkPolicyIngressRule](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#networkpolicyingressrule-v1-networking-k8s-io) + + - etc. + ??? :EN:- Isolating workloads with Network Policies