๋กœ์ผ“๐Ÿพ
article thumbnail

 

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค์—๋Š” Audit ์ด๋ผ๋Š” ๊ธฐ๋Šฅ์ด ์žˆ์Šต๋‹ˆ๋‹ค. ๋‹ค๋“ค ๋ˆˆ์น˜ ์ฑ„์…จ๊ฒ ์ง€๋งŒ, Kube Api Server ์— ์–ด๋–ค API ๋ฅผ ํ˜ธ์ถœํ–ˆ๋Š”์ง€ ๊ฐ์‹œํ•˜๋Š” ๊ธฐ๋Šฅ์ด์ฃ .

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค๋ฅผ ์„ค์น˜ํ•˜๋ฉด ๊ธฐ๋ณธ์ ์œผ๋กœ ์ œ๊ณต ๋˜์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์— ์ถ”๊ฐ€์ ์œผ๋กœ Audit ๊ธฐ๋Šฅ์„ ํ™œ์„ฑํ™” ํ•ด์ฃผ์–ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

 

๊ทธ๋ž˜์„œ ์ด๋ฒˆ ๊ธ€์—์„œ๋Š” Audit ๊ธฐ๋Šฅ์„ ํ™œ์„ฑํ™”ํ•ด์„œ ๋ˆ„๊ฐ€, ์–ด๋–ค ํ–‰์œ„๋กœ, ์–ด๋–ค ๋ฆฌ์†Œ์Šค๋ฅผ ํ˜ธ์ถœ ํ–ˆ๋Š”์ง€ ๊ฐ์‹œํ•ด๋ณด๊ฒ ์Šต๋‹ˆ๋‹ค!

 

 

๋ ›์ธ ๋‘๋”์ฝ”๋“œ!

 

 

Audit ๊ธฐ๋Šฅ ํ™œ์„ฑํ™”


control plane & data plane v1.26.1 ์—์„œ ์ง„ํ–‰๋˜์—ˆ์Šต๋‹ˆ๋‹ค

 

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค ๊ณต์‹ ๋ฌธ์„œ๋ฅผ ์ด๋™ํ•œ ํ›„ Audit ์„ ๊ฒ€์ƒ‰ํ•ด์ค๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ํด๋ฆญํ•ด์„œ ๋ฌธ์„œ๋ฅผ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค.

k8s docs

 

๋ฐ‘์œผ๋กœ ์ญ‰์ญ‰ ๋‚ด๋ ค์„œ ๋กœ๊ทธ ๋ฐฑ์—”๋“œ ์„น์…˜์œผ๋กœ ์ด๋™ํ•ฉ๋‹ˆ๋‹ค.

 

/etc/kubernetes/manifests/kube-apiserver.yaml ์— ์•„๋ž˜์™€ ๊ฐ™์ด ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.

    --audit-policy-file=/etc/kubernetes/audit-policy.yaml 
    --audit-log-path=/var/log/kubernetes/audit/audit.log

 

์ด์™ธ ์ถ”๊ฐ€ ์˜ต์…˜์„ ์ค„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

    --audit-policy-file=/etc/kubernetes/audit-policy.yaml 
    --audit-log-path=/var/log/kubernetes/audit/audit.log
    --audit-log-maxage=10 # 10์ผ๊นŒ์ง€๋งŒ ๋ณด๊ด€
    --audit-log-maxbackup=10 # ์ตœ๋Œ€ 10๊ฐœ์˜ ํŒŒ์ผ๋งŒ ๋ณด๊ด€
    --audit-log-maxsize=10 # ๋กœํ…Œ์ดํŠธ ๋˜๊ธฐ ์ „ ์ตœ๋Œ€ ํฌ๊ธฐ๋Š” 10MB
  • --audit-log-path ๋Š” ๋กœ๊ทธ ๋ฐฑ์—”๋“œ๊ฐ€ ๊ฐ์‚ฌ ์ด๋ฒคํŠธ๋ฅผ ์“ฐ๋Š” ๋ฐ ์‚ฌ์šฉํ•˜๋Š” ๋กœ๊ทธ ํŒŒ์ผ ๊ฒฝ๋กœ๋ฅผ ์ง€์ •ํ•œ๋‹ค. ์ด ํ”Œ๋ž˜๊ทธ๋ฅผ ์ง€์ •ํ•˜์ง€ ์•Š์œผ๋ฉด ๋กœ๊ทธ ๋ฐฑ์—”๋“œ๊ฐ€ ๋น„ํ™œ์„ฑํ™”๋œ๋‹ค. - ๋Š” ํ‘œ์ค€ ์ถœ๋ ฅ์„ ์˜๋ฏธํ•œ๋‹ค.
  • --audit-log-maxage ๋Š” ์˜ค๋ž˜๋œ ๊ฐ์‚ฌ ๋กœ๊ทธ ํŒŒ์ผ์„ ๋ณด๊ด€ํ•  ์ตœ๋Œ€ ์ผ์ˆ˜๋ฅผ ์ •์˜ํ•œ๋‹ค.
  • --audit-log-maxbackup ์€ ๋ณด๊ด€ํ•  ๊ฐ์‚ฌ ๋กœ๊ทธ ํŒŒ์ผ์˜ ์ตœ๋Œ€ ์ˆ˜๋ฅผ ์ •์˜ํ•œ๋‹ค.
  • --audit-log-maxsize ๋Š” ๊ฐ์‚ฌ ๋กœ๊ทธ ํŒŒ์ผ์ด ๋กœํ…Œ์ดํŠธ ๋˜๊ธฐ ์ „์˜ ์ตœ๋Œ€ ํฌ๊ธฐ(MB)๋ฅผ ์ •์˜ํ•œ๋‹ค.

 

๊ทธ๋Ÿฐ ๋‹ค์Œ ๋ณผ๋ฅจ์„ ๋งˆ์šดํŠธ๋ฅผ ํ•ด์ค๋‹ˆ๋‹ค.

...
volumeMounts:
  - mountPath: /etc/kubernetes/audit-policy.yaml
    name: audit
    readOnly: true
  - mountPath: /var/log/kubernetes/audit/
    name: audit-log
    readOnly: false

 

๊ทธ๋ฆฌ๊ณ  ๋งˆ์ง€๋ง‰์œผ๋กœ HostPath ๋ฅผ ๊ตฌ์„ฑํ•ฉ๋‹ˆ๋‹ค.

...
volumes:
- name: audit
  hostPath:
    path: /etc/kubernetes/audit-policy.yaml
    type: File

- name: audit-log
  hostPath:
    path: /var/log/kubernetes/audit/
    type: DirectoryOrCreate

 

HostPath ๋กœ ๊ตฌ์„ฑํ•จ์œผ๋กœ์จ ํ˜ธ์ŠคํŠธ(control plane) ์— ์กด์žฌํ•˜๋Š” audit-policy.yaml ์„ kube-apiserver container ์— ์ „๋‹ฌํ•ด์ฃผ๊ณ , kube-apiserver container ์—์„œ ์ƒ์„ฑ๋˜๋Š” audit.log ๋ฅผ ํ˜ธ์ŠคํŠธ์— ์ƒ์„ฑ๋˜๊ฒŒ ํ•ฉ๋‹ˆ๋‹ค.

 

๊ทผ๋ฐ ์•„๋งˆ ์ด๋Œ€๋กœ ์‹คํ–‰ํ•˜๋ฉด kube-apiserver ์—์„œ ์—๋Ÿฌ๊ฐ€ ๋ฐœ์ƒํ•  ๊ฒƒ์ž…๋‹ˆ๋‹ค. ์™œ๋ƒ ์šฐ๋ฆฌ๋Š” audit-policy.yaml ์„ ๋งŒ๋“  ์ ์ด ์—†๊ธฐ ๋•Œ๋ฌธ์ž…๋‹ˆ๋‹ค.

 

๊ทธ๋Ÿผ audit-policy.yaml ์„ ๋งŒ๋“ค์–ด ๋ณด์ฃ !

 

 

audit-policy.yaml ์ž‘์„ฑํ•˜๊ธฐ


audit-policy ์—๋Š” ์ค‘์š”ํ•œ ๊ฐœ๋… 2๊ฐ€์ง€๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.

 

ํ•˜๋‚˜๋Š” ๊ฐ์‚ฌ ๋‹จ๊ณ„(audit stage), ๋‹ค๋ฅธ ํ•˜๋‚˜๋Š” ๊ฐ์‚ฌ ์ˆ˜์ค€(audit level) ์ž…๋‹ˆ๋‹ค.

 

 

๊ฐ์‚ฌ ๋‹จ๊ณ„(audit stage)

  • RequestReceived - ๊ฐ์‚ฌ ํ•ธ๋“ค๋Ÿฌ๊ฐ€ ์š”์ฒญ์„ ์ˆ˜์‹ ํ•œ ์งํ›„, ๊ทธ๋ฆฌ๊ณ  ํ•ธ๋“ค๋Ÿฌ ์ฒด์ธ์œผ๋กœ ์œ„์ž„๋˜๊ธฐ ์ „์— ์ƒ์„ฑ๋˜๋Š” ์ด๋ฒคํŠธ์— ๋Œ€ํ•œ ๋‹จ๊ณ„์ด๋‹ค.
  • ResponseStarted - ์‘๋‹ต ํ—ค๋”๋Š” ์ „์†ก๋˜์—ˆ์ง€๋งŒ, ์‘๋‹ต ๋ณธ๋ฌธ(body)์€ ์ „์†ก๋˜๊ธฐ ์ „์ธ ๋‹จ๊ณ„์ด๋‹ค. ์ด ๋‹จ๊ณ„๋Š” ์˜ค๋ž˜ ์‹คํ–‰๋˜๋Š” ์š”์ฒญ(์˜ˆ: watch)์— ๋Œ€ํ•ด์„œ๋งŒ ์ƒ์„ฑ๋œ๋‹ค.
  • ResponseComplete - ์‘๋‹ต ๋‚ด์šฉ์ด ์™„๋ฃŒ๋˜์—ˆ์œผ๋ฉฐ, ๋” ์ด์ƒ ๋ฐ”์ดํŠธ๊ฐ€ ์ „์†ก๋˜์ง€ ์•Š์„ ๋•Œ์˜ ๋‹จ๊ณ„์ด๋‹ค.
  • Panic - ํŒจ๋‹‰์ด ๋ฐœ์ƒํ–ˆ์„ ๋•Œ ์ƒ์„ฑ๋˜๋Š” ์ด๋ฒคํŠธ์ด๋‹ค.

 

๊ฐ์‚ฌ ์ˆ˜์ค€(audit level)

  • None - ์ด ๊ทœ์น™์— ํ•ด๋‹น๋˜๋Š” ์ด๋ฒคํŠธ๋Š” ๋กœ๊น…ํ•˜์ง€ ์•Š๋Š”๋‹ค.
  • Metadata - ์š”์ฒญ ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ(์š”์ฒญํ•˜๋Š” ์‚ฌ์šฉ์ž, ํƒ€์ž„์Šคํƒฌํ”„, ๋ฆฌ์†Œ์Šค, ๋™์‚ฌ(verb) ๋“ฑ)๋Š” ๋กœ๊น…ํ•˜์ง€๋งŒ ์š”์ฒญ/์‘๋‹ต ๋ณธ๋ฌธ์€ ๋กœ๊น…ํ•˜์ง€ ์•Š๋Š”๋‹ค.
  • Request - ์ด๋ฒคํŠธ ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ ๋ฐ ์š”์ฒญ ๋ณธ๋ฌธ์„ ๋กœ๊น…ํ•˜์ง€๋งŒ ์‘๋‹ต ๋ณธ๋ฌธ์€ ๋กœ๊น…ํ•˜์ง€ ์•Š๋Š”๋‹ค. ๋ฆฌ์†Œ์Šค ์™ธ์˜ ์š”์ฒญ์—๋Š” ์ ์šฉ๋˜์ง€ ์•Š๋Š”๋‹ค.
  • RequestResponse - ์ด๋ฒคํŠธ ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ ๋ฐ ์š”์ฒญ/์‘๋‹ต ๋ณธ๋ฌธ์„ ๋กœ๊น…ํ•œ๋‹ค. ๋ฆฌ์†Œ์Šค ์™ธ์˜ ์š”์ฒญ์—๋Š” ์ ์šฉ๋˜์ง€ ์•Š๋Š”๋‹ค.

 

์ •์˜๋กœ๋งŒ ๋ด์„œ๋Š” ํฌ๊ฒŒ ์ดํ•ดํ•˜๊ธฐ์‹œ๊ฐ€ ํž˜๋“ค๊ฒ๋‹ˆ๋‹ค. ์ €๋„ ์ด๋ ‡๊ฒŒ๋งŒ ๋ด์„œ๋Š” ์ดํ•ด๊ฐ€ ์•ˆ๊ฐ‘๋‹ˆ๋‹ค..

ํฐ ๊ทธ๋ฆผ

 

๊ทธ๋Ÿผ ๊ณต์‹ ๋ฌธ์„œ์— ๋‚˜์™€์žˆ๋Š” ์˜ˆ์ œ๋ฅผ ํ•œ๋ฒˆ ๋ณด์ฃ ! ์ข€ ๋” ์ดํ•ด๊ฐ€ ์‰ฌ์šธ ๊ฒ๋‹ˆ๋‹ค!

apiVersion: audit.k8s.io/v1 # ํ•„์ˆ˜์‚ฌํ•ญ์ž„.
kind: Policy
# Request Received ๋‹จ๊ณ„์˜ ๋ชจ๋“  ์š”์ฒญ์— ๋Œ€ํ•ด ๊ฐ์‚ฌ ์ด๋ฒคํŠธ๋ฅผ ์ƒ์„ฑํ•˜์ง€ ์•Š์Œ.
omitStages:
  - "RequestReceived"
rules:
  # RequestResponse ์ˆ˜์ค€์—์„œ ํŒŒ๋“œ ๋ณ€๊ฒฝ ์‚ฌํ•ญ ๊ธฐ๋ก
  - level: RequestResponse
    resources:
    - group: ""
      # ๋ฆฌ์†Œ์Šค "ํŒŒ๋“œ" ๊ฐ€ RBAC ์ •์ฑ…๊ณผ ๋ถ€ํ•ฉํ•˜๋Š” ํŒŒ๋“œ์˜ ํ•˜์œ„ ๋ฆฌ์†Œ์Šค์— ๋Œ€ํ•œ
      # ์š”์ฒญ๊ณผ ์ผ์น˜ํ•˜์ง€ ์•Š์Œ.
      resources: ["pods"]
  # ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ ์ˆ˜์ค€์—์„œ "pods/log", "pods/status"๋ฅผ ๊ธฐ๋กํ•จ.
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]

  # "controller-leader" ๋ผ๋Š” ์ปจํ”ผ๊ทธ๋งต์— ์š”์ฒญ์„ ๊ธฐ๋กํ•˜์ง€ ์•Š์Œ."
  - level: None
    resources:
    - group: ""
      resources: ["configmaps"]
      resourceNames: ["controller-leader"]

  # ์—”๋“œํฌ์ธํŠธ ๋˜๋Š” ์„œ๋น„์Šค์˜ "system:kube-proxy"์— ์˜ํ•œ ๊ฐ์‹œ ์š”์ฒญ ๊ธฐ๋กํ•˜์ง€ ์•Š์Œ.
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
    - group: "" # ํ•ต์‹ฌ API ๊ทธ๋ฃน
      resources: ["endpoints", "services"]

  # ์ธ์ฆ๋œ ์š”์ฒญ์„ ํŠน์ • ๋ฆฌ์†Œ์Šค๊ฐ€ ์•„๋‹Œ URL ๊ฒฝ๋กœ์— ๊ธฐ๋กํ•˜์ง€ ์•Š์Œ.
  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
    - "/api*" # ์™€์ผ๋“œ์นด๋“œ ๋งค์นญ(wildcard matching).
    - "/version"

  # kube-system์— ์ปจํ”ผ๊ทธ๋งต ๋ณ€๊ฒฝ ์‚ฌํ•ญ์˜ ์š”์ฒญ ๋ณธ๋ฌธ์„ ๊ธฐ๋กํ•จ.
  - level: Request
    resources:
    - group: "" # ํ•ต์‹ฌ API ๊ทธ๋ฃน
      resources: ["configmaps"]
    # ์ด ์ •์ฑ…์€ "kube-system" ๋„ค์ž„์ŠคํŽ˜์ด์Šค์˜ ๋ฆฌ์†Œ์Šค์—๋งŒ ์ ์šฉ๋จ.
    # ๋นˆ ๋ฌธ์ž์—ด "" ์€ ๋„ค์ž„์ŠคํŽ˜์ด์Šค๊ฐ€ ์—†๋Š” ๋ฆฌ์†Œ์Šค๋ฅผ ์„ ํƒํ•˜๋Š”๋ฐ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Œ.
    namespaces: ["kube-system"]

  # ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ ์ˆ˜์ค€์—์„œ ๋‹ค๋ฅธ ๋ชจ๋“  ๋„ค์ž„์ŠคํŽ˜์ด์Šค์˜ ์ปจํ”ผ๊ทธ๋งต๊ณผ ์‹œํฌ๋ฆฟ ๋ณ€๊ฒฝ ์‚ฌํ•ญ์„ ๊ธฐ๋กํ•จ.
  - level: Metadata
    resources:
    - group: "" # ํ•ต์‹ฌ API ๊ทธ๋ฃน
      resources: ["secrets", "configmaps"]

  # ์š”์ฒญ ์ˆ˜์ค€์—์„œ ์ฝ”์–ด ๋ฐ ํ™•์žฅ์— ์žˆ๋Š” ๋‹ค๋ฅธ ๋ชจ๋“  ๋ฆฌ์†Œ์Šค๋ฅผ ๊ธฐ๋กํ•จ.
  - level: Request
    resources:
    - group: "" # ํ•ต์‹ฌ API ๊ทธ๋ฃน
    - group: "extensions" # ๊ทธ๋ฃน์˜ ๋ฒ„์ „์„ ๊ธฐ์žฌํ•˜๋ฉด ์•ˆ ๋œ๋‹ค.

  # ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ ์ˆ˜์ค€์—์„œ ๋‹ค๋ฅธ ๋ชจ๋“  ์š”์ฒญ์„ ๊ธฐ๋กํ•˜๊ธฐ ์œ„ํ•œ ๋ชจ๋“  ์ˆ˜์ง‘ ์ •์ฑ….
  - level: Metadata
    # ์ด ์ •์ฑ…์— ํ•ด๋‹นํ•˜๋Š” ๊ฐ์‹œ์ž์™€ ๊ฐ™์€ ์žฅ๊ธฐ ์‹คํ–‰ ์š”์ฒญ์€
    # RequestReceived์—์„œ ๊ฐ์‚ฌ ์ด๋ฒคํŠธ๋ฅผ ์ƒ์„ฑํ•˜์ง€ ์•Š์Œ.
    omitStages:
      - "RequestReceived"

 

์˜ˆ์ œ์˜ ์–‘์ด ๊ฝค๋‚˜ ๋ฐฉ๋Œ€ํ•˜๋‹ˆ ์ค‘์š”ํ•˜๋‹ค๊ณ  ์ƒ๊ฐํ•˜๋Š” ํฌ์ธํŠธ๋งŒ ์ถ”๋ ค๋ดค์Šต๋‹ˆ๋‹ค.

apiVersion: audit.k8s.io/v1 # ํ•„์ˆ˜์‚ฌํ•ญ์ž„.
kind: Policy
# Request Received ๋‹จ๊ณ„์˜ ๋ชจ๋“  ์š”์ฒญ์— ๋Œ€ํ•ด ๊ฐ์‚ฌ ์ด๋ฒคํŠธ๋ฅผ ์ƒ์„ฑํ•˜์ง€ ์•Š์Œ.
omitStages:
  - "RequestReceived"
rules:
  
  # ์ฒซ๋ฒˆ์งธ ๋ฃฐ
  # RequestResponse ์ˆ˜์ค€์—์„œ ํŒŒ๋“œ ๋ณ€๊ฒฝ ์‚ฌํ•ญ ๊ธฐ๋ก
  - level: RequestResponse
    resources:
    - group: ""
      resources: ["pods"]
      
  # ๋‘๋ฒˆ์งธ ๋ฃฐ
  # RequestResponse ์ˆ˜์ค€์—์„œ ํŒŒ๋“œ ๋ณ€๊ฒฝ ์‚ฌํ•ญ ๊ธฐ๋ก
  - level: RequestResponse
    verbs: ["get", "watch", "list"]
    resources:
    - group: ""
      resources: ["pods"]      

  # ์„ธ๋ฒˆ์งธ ๋ฃฐ
  # ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ ์ˆ˜์ค€์—์„œ ๋‹ค๋ฅธ ๋ชจ๋“  ๋„ค์ž„์ŠคํŽ˜์ด์Šค์˜ ์ปจํ”ผ๊ทธ๋งต๊ณผ ์‹œํฌ๋ฆฟ ๋ณ€๊ฒฝ ์‚ฌํ•ญ์„ ๊ธฐ๋กํ•จ.
  - level: Metadata
    resources:
    - group: "" # ํ•ต์‹ฌ API ๊ทธ๋ฃน
      resources: ["secrets", "configmaps"]

  # ๋„ค๋ฒˆ์งธ ๋ฃฐ
  - level: None

 

.omitStage ๋กœ RequestReceived ๋ฅผ ์„ ์–ธํ–ˆ๊ธฐ ๋•Œ๋ฌธ์— ์ด policy ๋Š” ์–ด๋–ค ๋ฃฐ์ด๋“  RequestReceived ๋‹จ๊ณ„์—์„œ ๋กœ๊ทธ๋ฅผ ์ƒ์„ฑํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ์ฆ‰, ํ•ธ๋“ค๋Ÿฌ ์ฒด์ธ์œผ๋กœ ์œ„์ž„๋˜๊ธฐ ์ „์— ์ƒ์„ฑ๋˜๋Š” ์ด๋ฒคํŠธ๋Š” ์ƒ์„ฑํ•˜์ง€ ์•Š์ฃ .

 

๊ทธ๋Ÿผ ์ด์ œ ์ฐจ๋ก€๋Œ€๋กœ ๋ฃฐ์„ ํ™•์ธํ•ด๋ณด์ฃ .

 

์ฒซ๋ฒˆ์งธ ๋ฃฐ 

  # RequestResponse ์ˆ˜์ค€์—์„œ ํŒŒ๋“œ ๋ณ€๊ฒฝ ์‚ฌํ•ญ ๊ธฐ๋ก
  - level: RequestResponse
    resources:
    - group: ""
      resources: ["pods"]

 

RequestResponse ๋ ˆ๋ฒจ ์ด๊ธฐ ๋•Œ๋ฌธ์— ์ด๋ฒคํŠธ์˜ ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ, ์š”์ฒญ/์‘๋‹ต ๋ชจ๋‘ ๋กœ๊น…ํ•ฉ๋‹ˆ๋‹ค.

๊ทธ๋ฆฌ๊ณ  ๋กœ๊น…๋˜๋Š” ๋Œ€์ƒ์€ pods ์ž…๋‹ˆ๋‹ค. 

 

์˜ˆ๋ฅผ ๋“ค์–ด ๋ˆ„๊ตฐ๊ฐ€ kubectl get pods ๋ฅผ  ํ–ˆ์„ ๊ฒฝ์šฐ ์ด ์ด๋ฒคํŠธ์— ๋Œ€ํ•œ ๋กœ๊น…์ด ์ „๋ถ€ ๊ธฐ๋ก๋ฉ๋‹ˆ๋‹ค.

๋ˆ„๊ฐ€ ํ–ˆ๋Š”์ง€, ์–ด๋–ค ํ–‰์œ„๋ฅผ ํ–ˆ๋Š”์ง€, ์–ด๋–ค ์ผ์ด ์žˆ์—ˆ๋Š”์ง€ ๋“ฑ pods ์— ๋Œ€ํ•œ ์ „๋ถ€๋ฅผ ๊ธฐ๋กํ•ฉ๋‹ˆ๋‹ค.

 

๋‘๋ฒˆ์งธ ๋ฃฐ

  # ๋‘๋ฒˆ์งธ ๋ฃฐ
  # RequestResponse ์ˆ˜์ค€์—์„œ ํŒŒ๋“œ ๋ณ€๊ฒฝ ์‚ฌํ•ญ ๊ธฐ๋ก
  - level: RequestResponse
    verbs: ["get", "watch", "list"]
    resources:
    - group: ""
      resources: ["pods"]

 

๋งˆ์ฐฌ๊ฐ€์ง€๋กœ RequestResponse ๋ ˆ๋ฒจ ์ด๊ธฐ ๋•Œ๋ฌธ์— ์ด๋ฒคํŠธ์˜ ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ, ์š”์ฒญ/์‘๋‹ต ๋ชจ๋‘ ๋กœ๊น…ํ•ฉ๋‹ˆ๋‹ค.

๊ทธ๋ฆฌ๊ณ  ๋กœ๊น…๋˜๋Š” ๋Œ€์ƒ์€ pods ์ด๋˜, get, watch, list ์— ๋Œ€ํ•ด์„œ๋งŒ ๊ธฐ๋กํ•ฉ๋‹ˆ๋‹ค.

 

์ฆ‰, create, update ๋“ฑ์— ๋Œ€ํ•œ ๊ธฐ๋ก์€ ์ง„ํ–‰๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค.

๋ˆˆ์น˜ ์ฑ„์‹  ๋ถ„๋„ ๊ณ„์‹ ์ง€๋งŒ ์ด๋ ‡๊ฒŒ policy ๋ฅผ ์ž‘์„ฑํ•  ๊ฒฝ์šฐ ์ฒซ๋ฒˆ์งธ ๋ฃฐ์€ ๊ฒฐ๊ตญ ๋‘๋ฒˆ์งธ ๋ฃฐ์— ์˜ํ•ด ์ œํ•œ๋ฉ๋‹ˆ๋‹ค.
์™œ๋ƒ๋ฉด ์ฒซ๋ฒˆ์งธ ๋ฃฐ์—์„  pods ์˜ verbs ์— ๋Œ€ํ•ด ์ „๋ถ€ ํ—ˆ์šฉํ–ˆ์ง€๋งŒ, ๋‘๋ฒˆ์งธ ๋ฃฐ์—์„œ pods ์˜ verbs ๋ฅผ ์ œํ•œํ–ˆ๊ธฐ ๋•Œ๋ฌธ์ž…๋‹ˆ๋‹ค.

 

์„ธ๋ฒˆ์งธ ๋ฃฐ

  # ์„ธ๋ฒˆ์งธ ๋ฃฐ
  # ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ ์ˆ˜์ค€์—์„œ ๋‹ค๋ฅธ ๋ชจ๋“  ๋„ค์ž„์ŠคํŽ˜์ด์Šค์˜ ์ปจํ”ผ๊ทธ๋งต๊ณผ ์‹œํฌ๋ฆฟ ๋ณ€๊ฒฝ ์‚ฌํ•ญ์„ ๊ธฐ๋กํ•จ.
  - level: Metadata
    resources:
    - group: "" # ํ•ต์‹ฌ API ๊ทธ๋ฃน
      resources: ["secrets", "configmaps"]

Metadata ๋ ˆ๋ฒจ์ด๊ธฐ ๋•Œ๋ฌธ์— ์š”์ฒญ ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ(์š”์ฒญํ•˜๋Š” ์‚ฌ์šฉ์ž, ํƒ€์ž„์Šคํƒฌํ”„, ๋ฆฌ์†Œ์Šค, ๋™์‚ฌ(verb) ๋“ฑ)๋งŒ ๋กœ๊น…ํ•ฉ๋‹ˆ๋‹ค.

๊ทธ๋ฆฌ๊ณ  ๋Œ€์ƒ์€ secrets, configmaps ์ž…๋‹ˆ๋‹ค.

 

์ฆ‰, kubectl get secrets, kubectl edit configmaps ๋“ฑ ๋ชจ๋“  ํ–‰์œ„๊ฐ€ ๊ธฐ๋ก๋ฉ๋‹ˆ๋‹ค.

 

๋„ค๋ฒˆ์งธ ๋ฃฐ

  # ๋„ค๋ฒˆ์งธ ๋ฃฐ
  - level: None

Audit ์€ policy ์— ํŠน๋ณ„ํžˆ ๋ช…์‹œํ•˜์ง€ ์•Š์œผ๋ฉด ๋‹ค ํ—ˆ์šฉ๋ฉ๋‹ˆ๋‹ค.

์˜ˆ๋ฅผ ๋“ค์–ด ์œ„ policy ๋กœ ๋ดค์„ ๋• deployments, pvc ๋“ฑ ๋ช…์‹œ๋˜์ง€ ์•Š๋Š” ๋ฆฌ์†Œ์Šค๋‚˜ verbs ์— ๋Œ€ํ•œ ํ–‰์œ„๋Š” ์ „๋ถ€ ๋กœ๊น…๋˜์ฃ .

 

๋”ฐ๋ผ์„œ ๋„ค๋ฒˆ์งธ ๋ฃฐ ์ฒ˜๋Ÿผ ๋ช…์‹œํ•˜์ง€ ์•Š์€ ๋ฃฐ์— ๋Œ€ํ•ด์„œ๋Š” ๋กœ๊น…๋˜๋Š” ๊ฑธ ๋ง‰์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

๋Œ€๋žต์ ์œผ๋กœ audit-policy.yaml ์— ๋Œ€ํ•ด ์•Œ์•„๋ณด์•˜๊ณ  ์ด๋ฒˆ์—” ์‹ค์ œ๋กœ ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค์— ์ ์šฉํ•ด๋ณด์ฃ !

 

 

์ง€๋‚œ ๋ฐค ๋„ˆ๊ฐ€ ํ•œ ์ง“์„ ์•Œ๊ณ  ์žˆ๋‹ค!


์‹ค์Šต์„ ์œ„ํ•œ ์ƒํ™ฉ์„ ๊ฐ€์ •ํ•ด๋ณด์ฃ !

 

์ž๋น„์Šค๋ฅผ ๊ตฌ์„ฑํ•˜๋Š” ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์€ ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค ํ™˜๊ฒฝ์—์„œ ๊ตฌ๋™๋˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

์ž๋น„์Šค์— ๋Œ€ํ•œ ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ๋˜ํ•œ ํŒŒ๋“œ๋กœ ์‹คํ–‰๋˜๊ณ  ์žˆ์ฃ . ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์— ๋Œ€ํ•œ ์ •๋ณด๋Š” ์‹œํฌ๋ฆฟ์œผ๋กœ ๋ฐฐํฌ๋˜์–ด์žˆ๊ตฌ์š”.

๊ทธ๋Ÿฐ๋ฐ!
์ง€๋‚œ ๋ฐค ๋ˆ„๊ตฐ๊ฐ€ ์ž๋น„์Šค์˜ ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ์•Œ์•„๋‚ด๊ธฐ ์œ„ํ•ด ์‹œํฌ๋ฆฟ์— ์ ‘๊ทผ์„ ํ•œ ์‚ฌ์‹ค์„ ์•Œ๊ฒŒ๋˜์—ˆ์Šต๋‹ˆ๋‹ค.
Audit ๊ธฐ๋Šฅ์„ ํ†ตํ•ด์„œ ๋ˆ„๊ฐ€ ์‹œํฌ๋ฆฟ์— ์ ‘๊ทผ์„ ์‹œ๋„ํ–ˆ๋Š”์ง€ ์•Œ์•„๋‚ด ๋ณด๊ณ ์ž ํ•ฉ๋‹ˆ๋‹ค.

 

์šฐ์„  Audit ๋ฅผ ํ™œ์„ฑํ•ด๋ด…์‹œ๋‹ค.

/etc/kubernetes/audit-policy.yaml ์„ ๋งŒ๋“ค์–ด ์ค์‹œ๋‹ค.

apiVersion: audit.k8s.io/v1 
kind: Policy
rules:
  - level: Metadata
    resources:
    - group: "" 
      resources: ["secrets"]
      
  - level: None

 

secrets ์—๋งŒ ๊ด€์‹ฌ์ด ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ๋‚˜๋จธ์ง€ ๋ฆฌ์†Œ์Šค์— ๋Œ€ํ•ด์„œ๋Š” None ์ฒ˜๋ฆฌํ•ด์ค๋‹ˆ๋‹ค.

 

๊ทธ๋Ÿฐ ๋‹ค์Œ /etc/kubernetes/manifest/kube-apiserver.yaml ์— ์•„๋ž˜ ์˜ต์…˜๋“ค์„ ์ถ”๊ฐ€ํ•ด์ค๋‹ˆ๋‹ค.

...
--audit-policy-file=/etc/kubernetes/audit-policy.yaml 
--audit-log-path=/var/log/kubernetes/audit/audit.log
    
...
volumeMounts:
  - mountPath: /etc/kubernetes/audit-policy.yaml
    name: audit
    readOnly: true
  - mountPath: /var/log/kubernetes/audit/
    name: audit-log
    readOnly: false
    
...
volumes:
- name: audit
  hostPath:
    path: /etc/kubernetes/audit-policy.yaml
    type: File
- name: audit-log
  hostPath:
    path: /var/log/kubernetes/audit/
    type: DirectoryOrCreate

 

kube-apiserver ๊ฐ€ ์„ฑ๊ณต์ ์œผ๋กœ ์žฌ์‹œ์ž‘๋˜์—ˆ๋‹ค๋ฉด, /var/log/kubernetes/audit ์— audit.log ํŒŒ์ผ์ด ์ƒ์„ฑ๋˜์–ด ์žˆ์„ ๊ฑฐ๊ณ , ๋กœ๊ทธ ๋‚ด์šฉ์ด ์ ํ˜€์žˆ์„ ๊ฒ๋‹ˆ๋‹ค.

audit.log

 

secrets ๊ด€๋ จ๋œ ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ๋งŒ ๋กœ๊ทธ์— ์ €์žฅ๋˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋˜ํ•œ ๋‹ค์–‘ํ•œ stage ์—์„œ ์ง„ํ–‰๋ฉ๋‹ˆ๋‹ค.

 

๊ทธ๋Ÿผ ๊ณผ์—ฐ ๋ˆ„๊ฐ€ db secrets ์— ์ ‘๊ทผ์„ ํ–ˆ๋Š”์ง€ ์ฐพ์•„๋ณด์ฃ !

cat /var/log/kubernetes/audit/audit.log | grep db |  jq

 

์•„ํ•˜! ๋ฒ”์ธ์„ ์ฐพ์•˜์Šต๋‹ˆ๋‹ค!

์žก์•˜๋‹ค ์š”๋†ˆ!

 

๋ฒ”์ธ์€ ๋ฐ”๋กœ myuser ์˜€๊ตฐ์š”.

myuser ์ด ๊ฐ€์ง„ Role ์„ ์ œํ•œํ•ด์•ผ๊ฒ ์–ด์š”!!

 

์˜ค๋Š˜์€ ์ด๋ ‡๊ฒŒ ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค์˜ Audit ๊ธฐ๋Šฅ์„ ์•Œ์•„๋ดค์Šต๋‹ˆ๋‹ค.

EKS ๊ฐ™์€ ๊ฒฝ์šฐ ์…‹์—… ํ• ๋•Œ Audit ์„ค์ •์„ ํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, cloud watch ์—์„œ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋„๋ก ์ง€์›ํ•ฉ๋‹ˆ๋‹ค.

 

๊ทธ๋Ÿฌ๋ฉด ์˜ค๋Š˜์€ ์—ฌ๊ธฐ๊นŒ์ง€!

 

profile on loading

Loading...