A Brief History of Kubernetes Security

Kubernetes has two primary mechanisms for controlling accesses within the cluster. Role-Based Access Contol (RBAC) for limiting API Requests SecurityContexts for limiting system-local privileges, such as root and UID/GID API Requests and Role-Based Access Control (northbound requests) Northbound requests are requests that are sent to the Kubernetes API to perform an action to the cluster.

Creating Hidden Super-Users in OpenShift

About Kubernetes Authentication Kubernetes provides a number of authentication strategies, such as the use of OAuth2.0 integration, ServiceAccount tokens and client X509 certificates through the use of a plugin based architecture. The available authentication strategies for a cluster are controlled by the Kubenetes APIServer configuration and can be set through via the APIServerConfig file or passed in via startup parameters.

Resetting the Kubeadmin Password

When provisioning a new OpenShift Cluster there are 2 default cluster administrator accounts that are configured to allow for easy access to bootstrap other IdentityProviders and User accounts. The kubeadmin credential consists of a user / password combination that is provided using the OpenShift Authentication module and can be accessed through both the WebConsole and CLI tool The system:admin credential consists of a signed X509 certificate that can be used to communicate with the Kubernetes API and bypasses the OpenShift Authentication module.

Access the Red Hat Registry for Testing with cURL

Accessing a Docker registry can be performed using the curl command line tool by performing basic authentication. For Red Hat’s registry.redhat.io, when attempting to access the registry we can see that there are ~|⇒ curl https://registry.redhat.io/v2/ {"errors":[{"code":"UNAUTHORIZED","message":"Access to the requested resource is not authorized"}]}% When attempting to access this endpoint via basic CLI tools by querying the authentication endpoint found here: https://registry.

Troubleshooting CoreDNS in OpenShift 4.x

From using SRV records for locating available services to providing a methods for stable load balancing between Pods of a StatefulSet using a headless-service, DNS is a fundamental component for service discovery within Kubernetes. CoreDNS has become the standard DNS server used with Kubernetes and is the DNS provider within OpenShift / OKD 4.