Deny All POD Egress to Specific IP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: pod-deny namespace: access spec: podSelector: { } policyTypes: - Egress egress: - to: - ipBlock: cidr: 0.0.0.0/0 except: - 192.168.100.21/32 Allow Specific PODs Egress to Specific IP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 apiVersion: networking.
Mounted Secret 1 kubectl exec pod1 -- cat /etc/secret-volume/password Environment Secret 1 kubectl exec pod2 -- env | grep PASS By Service Account Connect to the Container 1 kubectl exec -it pod3 -- sh Get Mount Information of Service Account in the Container 1 mount | grep serviceaccount 1 tmpfs on /run/secrets/kubernetes.io/serviceaccount type tmpfs (ro,relatime) Get Service Account Data in the Container 1 ls /run/secrets/kubernetes.io/serviceaccount 1 ca.crt namespace token Get Secret to Call Kubernetes API in the Container 1 curl https://kubernetes.
Get Certification Files 1 cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep etcd Get Secrets with ETCD ETCD In the get, you have to check the path.
/registry/<resource>/<namespace>/<resource-name> /registry/secrets/team-ns/database-access 1 2 3 4 5 ETCDCTL_API=3 etcdctl \ --cert /etc/kubernetes/pki/apiserver-etcd-client.crt \ --key /etc/kubernetes/pki/apiserver-etcd-client.key \ --cacert /etc/kubernetes/pki/etcd/ca.crt \ get /registry/secrets/team-ns/database-access
Execute Command in exist POD 1 kubectl exec test-pod > ~/test-dmesg -- dmesg Execute Command Temporary POD 1 kubectl run test-pod --image=busybox --restart=Never --rm -it > ~/test.log -- nc -z -v -w 2 webapp-service
Connect to the Node that is Running the POD 1 ssh node01 Find the Container ID 1 docker ps -a | grep apparmor Inspect the Container 1 docker inspect 41f014a9e7a8 | grep -i profile 1 2 3 ... "AppArmorProfile": "very-secure", ...
Label Help 1 kubectl label -h Labeling to Node 1 2 3 kubectl label node <node-name> <key=value> kubectl label node node01 run=dev
CozyFex