secrets? ● Attractive target ○ Controls access or use of sensitive resources ● Common attack vector ○ Checked into Github ○ Accessible by users who shouldn’t have access, e.g., CEO ○ Stored in public storage key is compromised ○ Time available for attempts to penetrate physical, procedural, and logical access ○ Time available for computationally intensive cryptanalytic attacks ● A cryptoperiod is the time practices Managing DEKs: ● Generate DEKs locally ● Use a strong cryptographic algorithm ● For easy access, store the DEK near the data that it encrypts ● Ensure DEKs are encrypted at rest ● Don’t use

for Pods • Creates virtual IP for external access • Interfaces with local iptables • Load-balance interface for Pods • Creates virtual IP for external access • Interfaces with local iptables The Kubernetes organize items in a cluster Labels, Annotations & Selectors Tags for component grouping and methods to access them Service Discovery An object associated to a label selector to provide a LB and Service DNS

Security Best Practices ©2019 VMware, Inc. 7  關閉公開存取 (Disable public access)  實施角色型存取權控管 (Implement role-based access control)  將 Kubernetes密鑰加密 (Encrypt secrets at rest)  設置 Kubernetes 的許可控制器 Ci/CD Application DevOPS Owner Consumes PKS API/CLI Day 1 & Day 2 for k8s clusters Manages access to k8s API for developers IT Operator IaaS Management Internet User Application User Trust

Kuberentes Servcie is an abstraction which defines a logical set of Pods and a policy by which to access them. • Service provides a way for applications to communicate with each other on K8s platform objects used in OW charts • ConfigMap: like nginx deployment configuration • Secrets: like DB access credentials • Ingress Component Launch Sequence • In Kubernetes, we can use the following

VIP using a load balancer • Two types • ClusterIP provides in-cluster access • NodePort provides out-of-cluster access • Major modes • Iptables • IPVS Iptables mode • How it works • DNAT at

upgrade path to the latest Kubernetes releases that have been validated and tested by Google ● Access to Container services on GCP such as Cloud Build, Container Registry, Audit Logging, and more. Orchestrate and manage on-prem containers just like GKE in the cloud Consistent operating model with access to GCP services across hybrid environments Single-pane-of-glass for multiple Kubernetes clusters

log-leaking} • sensitive config (passwords, API keys, etc.) • gotchas: commits-to-source, non-separated access (dev has cleartext password) { • business core data • Personal Identifiable Information (PII) Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential AWS Identity and Access Management (IAM) 身份验证 Kubectl 3) Authorizes AWS identity with RBAC K8s API 1) Passes AWS identity

10.9.1.4 vswitch VPC Subnet 10.9.0.1/16 Think in Cloud . 北北京 UK8S管理理服务架构 ⽇日志 监控 告警 API Access Dashboard Terminal Job Watcher Operator MongoDB Redis Watcher1 Wathcer2 WatcherN Cluster1 KUN-apiserver pod1 podN redis-svc pod1 podN watcher- operator-svc job1 jobN watcher1 watcherN access-svc Think in Cloud . 北北京 UK8S管理理服务特点 A. 完全的容器器化和微服务化。 B. 所有管理理服务全部运⾏行行在k8s上。 C. 基于k8s的api

bernetes-dashboard:/proxy/#!/overview? namespace=default 参考： https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/ 02-安装单机版Kubernetes 9 使⽤Kubespray部署⽣产可⽤的Kubernetes集群 （1.11 Controller：填充Endpoint对象（即：连接Service＆Pod）。 Service Account & Token Controllers：为新的namespace创建默认帐户和API access tokens。 cloud-controller-manager cloud-controller-manager运⾏着与底层云提供商交互的Controller。cloud-control 04-K8s组件 17 Kubernetes API API conventions doc 中描述了API的总体规范。 API Reference 中描述了API端点、资源类型和样本。 access doc 讨论了API的远程访问。 Kubernetes API也是系统声明式配置模式的基础。 Kubectl 命令⾏⼯具可⽤于创建、更新、删除以及获取API对象。 Kubernetes也会

join group: https://groups.google.com/forum/#!forum/kubernetes-sig-vmware (This will give you write access to all the SIG VMware shared google documents) Link to join Slack: https://kubernetes.slack.com