{"id":1398,"date":"2024-04-14T05:37:31","date_gmt":"2024-04-13T20:37:31","guid":{"rendered":"https:\/\/www.gyuroot.com\/wordpress\/?p=1398"},"modified":"2024-04-14T05:37:36","modified_gmt":"2024-04-13T20:37:36","slug":"06-aews-eks-security","status":"publish","type":"post","link":"https:\/\/www.gyuroot.com\/wordpress\/?p=1398","title":{"rendered":"06-[AEWS]-EKS Security"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_63 counter-hierarchy ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >\ubaa9\ucc28<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#Kubernetes_Auth\" title=\"Kubernetes Auth\">Kubernetes Auth<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#Authentication_%EC%9D%B8%EC%A6%9D\" title=\"Authentication (\uc778\uc99d)\">Authentication (\uc778\uc99d)<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#%EC%82%AC%EC%9A%A9%EC%9E%90_%EC%96%B4%EC%B9%B4%EC%9A%B4%ED%8A%B8\" title=\"\uc0ac\uc6a9\uc790 \uc5b4\uce74\uc6b4\ud2b8\">\uc0ac\uc6a9\uc790 \uc5b4\uce74\uc6b4\ud2b8<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#%EC%84%9C%EB%B9%84%EC%8A%A4_%EC%96%B4%EC%B9%B4%EC%9A%B4%ED%8A%B8\" title=\"\uc11c\ube44\uc2a4 \uc5b4\uce74\uc6b4\ud2b8\">\uc11c\ube44\uc2a4 \uc5b4\uce74\uc6b4\ud2b8<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#%EC%9D%B8%EC%A6%9D_%EB%B0%A9%EC%8B%9D\" title=\"\uc778\uc99d \ubc29\uc2dd\">\uc778\uc99d \ubc29\uc2dd<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#Basic_HTTP_Auth\" title=\"Basic HTTP Auth\">Basic HTTP Auth<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#Access_token_via_HTTP_Header\" title=\"Access token via HTTP Header\">Access token via HTTP Header<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#Client_cert\" title=\"Client cert\">Client cert<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#Authorization_%EC%9D%B8%EA%B0%80\" title=\"Authorization (\uc778\uac00)\">Authorization (\uc778\uac00)<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#RBAC_%EA%B4%80%EB%A0%A8_%ED%94%8C%EB%9F%AC%EA%B7%B8%EC%9D%B8_%EB%B0%8F_%ED%99%95%EC%9D%B8_%EB%B0%A9%EB%B2%95\" title=\"RBAC \uad00\ub828 \ud50c\ub7ec\uadf8\uc778 \ubc0f \ud655\uc778 \ubc29\ubc95\">RBAC \uad00\ub828 \ud50c\ub7ec\uadf8\uc778 \ubc0f \ud655\uc778 \ubc29\ubc95<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#STSSecurity_Token_Service_%EC%9E%84%EC%8B%9C_%EB%B3%B4%EC%95%88_%EC%9E%90%EA%B2%A9_%EC%A6%9D%EB%AA%85_%EC%83%9D%EC%84%B1\" title=\"STS(Security Token Service) \uc784\uc2dc \ubcf4\uc548 \uc790\uaca9 \uc99d\uba85 \uc0dd\uc131\">STS(Security Token Service) \uc784\uc2dc \ubcf4\uc548 \uc790\uaca9 \uc99d\uba85 \uc0dd\uc131<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#EC2_Instance_ProfileIAM_Role%EC%97%90_%EB%A7%B5%ED%95%91%EB%90%9C_k8s_rbac_%ED%99%95%EC%9D%B8\" title=\"EC2 Instance Profile(IAM Role)\uc5d0 \ub9f5\ud551\ub41c k8s rbac \ud655\uc778\">EC2 Instance Profile(IAM Role)\uc5d0 \ub9f5\ud551\ub41c k8s rbac \ud655\uc778<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#EKS_IMDS_IRSA_Pod_Identity\" title=\"EKS IMDS &amp; IRSA &amp; Pod Identity\">EKS IMDS &amp; IRSA &amp; Pod Identity<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#IMDSInstances_Meta_Data_Service\" title=\"IMDS(Instances Meta Data Service)\">IMDS(Instances Meta Data Service)<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#IMDSv1\" title=\"IMDSv1\">IMDSv1<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#IMDSv2\" title=\"IMDSv2\">IMDSv2<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#IRSAIAM_Roles_for_Service_Accounts\" title=\"IRSA(IAM Roles for Service Accounts)\">IRSA(IAM Roles for Service Accounts)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#EKS_Pod_Identity\" title=\"EKS Pod Identity\">EKS Pod Identity<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#%EC%8B%A4%EC%8A%B5\" title=\"\uc2e4\uc2b5\">\uc2e4\uc2b5<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#OWASP_Kubernetes_Top_Ten\" title=\"OWASP Kubernetes Top Ten\">OWASP Kubernetes Top Ten<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#kyverno\" title=\"kyverno\">kyverno<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#Pod_Container_Security_context\" title=\"Pod \/ Container Security context\">Pod \/ Container Security context<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#Container_Security_Context\" title=\"Container Security Context\">Container Security Context<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#readOnlyRootFilesystem\" title=\"readOnlyRootFilesystem\">readOnlyRootFilesystem<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#Linux_Capabilities\" title=\"Linux Capabilities\">Linux Capabilities<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#Pod_Security_Context\" title=\"Pod Security Context\">Pod Security Context<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#runuser_%EC%8B%A4%ED%96%89_%EC%82%AC%EC%9A%A9%EC%9E%90_%EB%B3%80%EA%B2%BD\" title=\"runuser (\uc2e4\ud589 \uc0ac\uc6a9\uc790 \ubcc0\uacbd)\">runuser (\uc2e4\ud589 \uc0ac\uc6a9\uc790 \ubcc0\uacbd)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-28\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#runAsNonRoot_root_%EC%82%AC%EC%9A%A9%EC%9E%90%EB%A1%9C_%EC%8B%A4%ED%96%89_%EC%A0%9C%ED%95%9C\" title=\"runAsNonRoot (root \uc0ac\uc6a9\uc790\ub85c \uc2e4\ud589 \uc81c\ud55c)\">runAsNonRoot (root \uc0ac\uc6a9\uc790\ub85c \uc2e4\ud589 \uc81c\ud55c)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-29\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#fsGroup%ED%8C%8C%EC%9D%BC%EC%8B%9C%EC%8A%A4%ED%85%9C_%EA%B7%B8%EB%A3%B9_%EC%A7%80%EC%A0%95\" title=\"fsGroup(\ud30c\uc77c\uc2dc\uc2a4\ud15c \uadf8\ub8f9 \uc9c0\uc815)\">fsGroup(\ud30c\uc77c\uc2dc\uc2a4\ud15c \uadf8\ub8f9 \uc9c0\uc815)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-30\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\/#sysctls_%EC%BB%A4%EB%84%90_%ED%8C%8C%EB%9D%BC%EB%AF%B8%ED%84%B0_%EC%84%A4%EC%A0%95\" title=\"sysctls (\ucee4\ub110 \ud30c\ub77c\ubbf8\ud130 \uc124\uc815)\">sysctls (\ucee4\ub110 \ud30c\ub77c\ubbf8\ud130 \uc124\uc815)<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n<h1 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Kubernetes_Auth\"><\/span>Kubernetes Auth<span class=\"ez-toc-section-end\"><\/span><\/h1>\n\n\n\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"746\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-408-1024x746.png\" alt=\"\" class=\"wp-image-1409\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-408-1024x746.png 1024w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-408-300x219.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-408-768x559.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-408-1536x1119.png 1536w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-408.png 2000w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"308\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-400-1024x308.png\" alt=\"\" class=\"wp-image-1401\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-400-1024x308.png 1024w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-400-300x90.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-400-768x231.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-400-1536x462.png 1536w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-400.png 1930w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><a href=\"https:\/\/sysdig.com\/blog\/kubernetes-admission-controllers\/\">\ucd9c\ucc98 : sysdig BY KAIZHE HUANG<\/a><\/figcaption><\/figure>\n\n\n\n<p>Admission Control\uc740 \ud074\ub7ec\uc2a4\ud130\uc5d0\uc11c \uc2e4\ud589\ud560 \uc218 \uc788\ub294 \ud56d\ubaa9\uc744 \uc815\uc758\ud558\uace0 \uc0ac\uc6a9\uc790 \uc9c0\uc815\ud558\ub294 \ub370 \ub3c4\uc6c0\uc774 \ub418\ub294 \uac15\ub825\ud55c Kubernetes \uae30\ubc18 \uae30\ub2a5\uc785\ub2c8\ub2e4. \uac10\uc2dc\uc790\ub85c\uc11c \ud074\ub7ec\uc2a4\ud130\uc5d0 \ub4e4\uc5b4\uac00\ub294 \ub0b4\uc6a9\uc744 \uc81c\uc5b4\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ub108\ubb34 \ub9ce\uc740 \ub9ac\uc18c\uc2a4\ub97c \uc694\uccad\ud558\ub294 \ubc30\ud3ec\ub97c \uad00\ub9ac\ud558\uace0, \ud3ec\ub4dc \ubcf4\uc548 \uc815\ucc45\uc744 \uc2dc\ud589\ud558\uba70, \ucde8\uc57d\ud55c \uc774\ubbf8\uc9c0\uac00 \ubc30\ud3ec\ub418\ub294 \uac83\uc744 \ucc28\ub2e8\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Authentication_%EC%9D%B8%EC%A6%9D\"><\/span>Authentication (\uc778\uc99d)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\ucfe0\ubc84\ub124\ud2f0\uc2a4\ub294 \uacc4\uc815 \uccb4\uacc4\ub97c \uad00\ub9ac\ud568\uc5d0 \uc788\uc5b4\uc11c \uc0ac\ub78c\uc774 \uc0ac\uc6a9\ud558\ub294 \uc0ac\uc6a9\uc790 \uc5b4\uce74\uc6b4\ud2b8\uc640, \uc2dc\uc2a4\ud15c\uc774 \uc0ac\uc6a9\ud558\ub294 \uc11c\ube44\uc2a4 \uc5b4\uce74\uc6b4\ud2b8 \ub450\uac00\uc9c0 \uac1c\ub150\uc744 \uc81c\uacf5\ud55c\ub2e4.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%EC%82%AC%EC%9A%A9%EC%9E%90_%EC%96%B4%EC%B9%B4%EC%9A%B4%ED%8A%B8\"><\/span>\uc0ac\uc6a9\uc790 \uc5b4\uce74\uc6b4\ud2b8<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\uc0ac\uc6a9\uc790 \uc5b4\uce74\uc6b4\ud2b8\ub294 \uc6b0\ub9ac\uac00 \uc77c\ubc18\uc801\uc73c\ub85c \uc0dd\uac01\ud558\ub294 \uc0ac\uc6a9\uc790 \uc544\uc774\ub514\uc758 \uac1c\ub150\uc774\ub2e4.\ucfe0\ubc84\ub124\ud2f0\uc2a4\ub294 \uc790\uccb4\uc801\uc73c\ub85c \uc0ac\uc6a9\uc790 \uacc4\uc815\uc744 \uad00\ub9ac\ud558\uace0 \uc774\ub97c \uc778\uc99d(Authenticate)\ud558\ub294 \uc2dc\uc2a4\ud15c\uc744 \uac00\uc9c0\uace0 \uc788\uc9c0 \uc54a\ub2e4. \ubc18\ub4dc\uc2dc \ubcc4\ub3c4\uc758 \uc678\ubd80 \uacc4\uc815 \uc2dc\uc2a4\ud15c\uc744 \uc0ac\uc6a9\ud574\uc57c \ud558\uba70, \uacc4\uc815 \uc2dc\uc2a4\ud15c \uc5f0\ub3d9\uc744 \uc704\ud574\uc11c OAuth\ub098 Webhook\uac00 \uac19\uc740 \uacc4\uc815 \uc5f0\ub3d9 \ubc29\uc2dd\uc744 \uc9c0\uc6d0\ud55c\ub2e4.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%EC%84%9C%EB%B9%84%EC%8A%A4_%EC%96%B4%EC%B9%B4%EC%9A%B4%ED%8A%B8\"><\/span>\uc11c\ube44\uc2a4 \uc5b4\uce74\uc6b4\ud2b8<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\uc11c\ube44\uc2a4 \uc5b4\uce74\uc6b4\ud2b8\uac00 \ub2e4\uc18c \ub0ae\uc124 \uc218 \uc788\ub294\ub370, \uc608\ub97c \ub4e4\uc5b4 \ud074\ub77c\uc774\uc5b8\ud2b8\uac00 \ucfe0\ubc84\ub124\ud2f0\uc2a4 API\ub97c \ud638\ucd9c\ud558\uac70\ub098, \ucf58\uc194\uc774\ub098 \uae30\ud0c0 \ud074\ub77c\uc774\uc5b8\ud2b8\uac00 \ucfe0\ubc84\ub124\ud2f0\uc2a4 API\ub97c \uc811\uadfc\ud558\uace0\uc790 \ud560\ub54c, \uc774\ub294 \uc2e4\uc81c \uc0ac\ub78c\uc778 \uc0ac\uc6a9\uc790\uac00 \uc544\ub2c8\ub77c \uc2dc\uc2a4\ud15c\uc774 \ub41c\ub2e4. \uadf8\ub798\uc11c, \ucfe0\ubc84\ub124\ud2f0\uc2a4\uc5d0\uc11c\ub294 \uc774\ub97c \uc77c\ubc18 \uc0ac\uc6a9\uc790\uc640 \ubd84\ub9ac\ud574\uc11c \uad00\ub9ac\ud558\ub294\ub370 \uc774\ub97c \uc11c\ube44\uc2a4 \uc5b4\uce74\uc6b4\ud2b8 service account\ub77c\uace0 \ud55c\ub2e4. \uc11c\ube44\uc2a4 \uc5b4\uce74\uc6b4\ud2b8\ub97c \uc0dd\uc131\ud558\ub294 \ubc29\ubc95\uc740 \uac04\ub2e8\ud558\ub2e4. <code>kubectl create sa {\uc11c\ube44\uc2a4 \uc5b4\uce74\uc6b4\ud2b8\uba85}<\/code> \uc744 \uc2e4\ud589\ud558\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%EC%9D%B8%EC%A6%9D_%EB%B0%A9%EC%8B%9D\"><\/span>\uc778\uc99d \ubc29\uc2dd<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Basic_HTTP_Auth\"><\/span>Basic HTTP Auth<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<ul>\n<li>HTTP \uc694\uccad\uc5d0 \uc0ac\uc6a9\uc790 \uc544\uc774\ub514\uc640 \ube44\ubc00\ubc88\ud638\ub97c \uc2e4\uc5b4 \ubcf4\ub0b4\uc11c \uc778\uc99d\ud558\ub294 \ubc29\uc2dd<\/li>\n\n\n\n<li>\uc544\uc774\ub514\uc640 \ube44\ubc00\ubc88\ud638\uac00 \ub124\ud2b8\uc6cc\ud06c\ub97c \ud1b5\ud574\uc11c \ub9e4\ubc88 \uc804\uc1a1\ub418\uae30 \ub54c\ubb38\uc5d0 \uadf8\ub2e4\uc9c0 \uad8c\uc7a5\ud558\uc9c0 \uc54a\ub294 \ubc29\ubc95<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Access_token_via_HTTP_Header\"><\/span>Access token via HTTP Header<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<ul>\n<li>\uc77c\ubc18\uc801\uc778 REST API \uc778\uc99d\uc5d0 \ub9ce\uc774 \uc0ac\uc6a9\ub418\ub294 \ubc29\uc2dd<\/li>\n\n\n\n<li>\uc0ac\uc6a9\uc790 \uc778\uc99d \ud6c4\uc5d0, \uc0ac\uc6a9\uc790\uc5d0 \ubd80\uc5ec\ub41c API TOKEN\uc744 HTTP Header\uc5d0 \uc2e4\uc5b4\uc11c \ubcf4\ub0b4\ub294 \ubc29\uc2dd<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Client_cert\"><\/span>Client cert<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<ul>\n<li>\ud074\ub77c\uc774\uc5b8\ud2b8\uc758 \uc2dd\ubcc4\uc744 \uc778\uc99d\uc11c (Certification)\uc744 \uc774\uc6a9\ud574\uc11c \uc778\uc99d\ud558\ub294 \ubc29\uc2dd<\/li>\n\n\n\n<li>\ud55c\uad6d\uc73c\ub85c \ubcf4\uc790\uba74 \uc778\ud130\ub137 \ubc45\ud0b9\uc758 \uacf5\uc778 \uc778\uc99d\uc11c\uc640 \uac19\uc740 \ubc29\uc2dd\uc73c\ub85c \uc0dd\uac01\ud558\uba74 \ub41c\ub2e4. \ubcf4\uc548\uc131\uc740 \uac00\uc7a5 \ub192\uc73c\ub098, \uc778\uc99d\uc11c \uad00\ub9ac\uc5d0 \ucd94\uac00\uc801\uc778 \ub178\ub825\uc774 \ud544\uc694<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Authorization_%EC%9D%B8%EA%B0%80\"><\/span>Authorization (\uc778\uac00)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"577\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-407-1024x577.png\" alt=\"\" class=\"wp-image-1408\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-407-1024x577.png 1024w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-407-300x169.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-407-768x433.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-407-1536x866.png 1536w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-407.png 2000w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>\ucfe0\ubc84\ub124\ud2f0\uc2a4\uc758 \uad8c\ud55c \ucc98\ub9ac \uccb4\uacc4\ub294 \uae30\ubcf8\uc801\uc73c\ub85c \uc5ed\ud560\uae30\ubc18\uc758 \uad8c\ud55c \uc778\uac00 \uccb4\uacc4\ub97c \uac00\uc9c0\uace0 \uc788\ub2e4. \uc774\ub97c RBAC (Role based access control)\uc774\ub77c\uace0 \ud55c\ub2e4.<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"415\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-401-1024x415.png\" alt=\"\" class=\"wp-image-1402\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-401-1024x415.png 1024w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-401-300x122.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-401-768x311.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-401.png 1218w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>\uc0ac\uc6a9\uc790\uc758 \uacc4\uc815\uc740 \uac1c\uac1c\ubcc4 \uc0ac\uc6a9\uc790\uc778 user, \uadf8\ub9ac\uace0 \uadf8 \uc0ac\uc6a9\uc790\ub4e4\uc758 \uadf8\ub8f9\uc740 user group, \ub9c8\uc9c0\ub9c9\uc73c\ub85c \uc2dc\uc2a4\ud15c\uc758 \uacc4\uc815\uc744 \uc815\uc758\ud558\ub294 service account\ub85c \uc815\uc758\ub41c\ub2e4.\uad8c\ud55c\uc740 Role\uc774\ub77c\ub294 \uac1c\ub150\uc73c\ub85c \uc815\uc758\uac00 \ub418\ub294\ub370, \uc774 Role\uc5d0\ub294 \uac01\uac01\uc758 \ub9ac\uc18c\uc2a4\uc5d0 \ub300\ud55c \uad8c\ud55c\uc774 \uc815\uc758\ub41c\ub2e4. \uc608\ub97c \ub4e4\uc5b4 pod \uc815\ubcf4\uc5d0\ub300\ud55c create\/list\/delete\ub4f1\uc744 \uc815\uc758\ud560 \uc218 \uc788\ub2e4. \uc774\ub807\uac8c\uc774\ub807\uac8c \uc815\uc758\ub41c Role\uc740 \uacc4\uc815\uacfc RoleBinding \uc774\ub77c\ub294 \uc815\uc758\ub97c \ud1b5\ud574\uc11c, \uacc4\uc815\uacfc \uc5f0\uacb0\uc774 \ub41c\ub2e4.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"kind: Role\napiVersion: rbac.authorization.k8s.io\/v1\nmetadata:\n  namespace: default\n  name: pod-reader\nrules:\n  - apiGroups: [&quot;&quot;]\n  resources: [&quot;pods&quot;]\n  verbs: [&quot;get&quot;, &quot;watch&quot;, &quot;list&quot;]\n  \" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #8FBCBB\">kind<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">Role<\/span><\/span>\n<span class=\"line\"><span style=\"color: #8FBCBB\">apiVersion<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac.authorization.k8s.io\/v1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #8FBCBB\">metadata<\/span><span style=\"color: #ECEFF4\">:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #8FBCBB\">namespace<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">default<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #8FBCBB\">name<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">pod-reader<\/span><\/span>\n<span class=\"line\"><span style=\"color: #8FBCBB\">rules<\/span><span style=\"color: #ECEFF4\">:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #ECEFF4\">-<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #8FBCBB\">apiGroups<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">[<\/span><span style=\"color: #ECEFF4\">&quot;&quot;<\/span><span style=\"color: #ECEFF4\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #8FBCBB\">resources<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">[<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">pods<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #8FBCBB\">verbs<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">[<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">get<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">watch<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">list<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Role\uc744 \uc0ac\uc6a9\uc790\uc5d0\uac8c \ubd80\uc5ec\ud558\uae30 \uc704\ud574\uc11c RoleBinding \uc124\uc815\uc744 \uc544\ub798\uc640 \uac19\uc774 \uc815\uc758\ud558\uc790.\uc544\ub798 Role-Binding\uc740 read-pods\ub77c\ub294 \uc774\ub984\uc73c\ub85c jane\uc774\ub77c\ub294 user\uc5d0\uc11c Role\uc744 \uc5f0\uacb0\ud558\uc600\uace0, \uc55e\uc5d0\uc11c \uc815\uc758\ud55c pod-reader\ub97c \uc5f0\uacb0\ud558\ub3c4\ub85d \uc815\uc758\ud558\uc600\ub2e4.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"kind: RoleBinding\napiVersion: rbac.authorication.k8s.io\/v1\nmetadata:\n  name: read-pods\n  namespace: dafult\nsubjects:\n- kind: User\n  name: jane\n  apiGroup: rbac.authorication.k8s.io\nroleRef:\n  kind: Role\n  name: podreader\n  apiGroup: rbac.authorication.k8s.io\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #8FBCBB\">kind<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">RoleBinding<\/span><\/span>\n<span class=\"line\"><span style=\"color: #8FBCBB\">apiVersion<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac.authorication.k8s.io\/v1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #8FBCBB\">metadata<\/span><span style=\"color: #ECEFF4\">:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #8FBCBB\">name<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">read-pods<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #8FBCBB\">namespace<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">dafult<\/span><\/span>\n<span class=\"line\"><span style=\"color: #8FBCBB\">subjects<\/span><span style=\"color: #ECEFF4\">:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #ECEFF4\">-<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #8FBCBB\">kind<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">User<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #8FBCBB\">name<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">jane<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #8FBCBB\">apiGroup<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac.authorication.k8s.io<\/span><\/span>\n<span class=\"line\"><span style=\"color: #8FBCBB\">roleRef<\/span><span style=\"color: #ECEFF4\">:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #8FBCBB\">kind<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">Role<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #8FBCBB\">name<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">podreader<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #8FBCBB\">apiGroup<\/span><span style=\"color: #ECEFF4\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac.authorication.k8s.io<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"584\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-403-1024x584.png\" alt=\"\" class=\"wp-image-1404\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-403-1024x584.png 1024w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-403-300x171.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-403-768x438.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-403.png 1230w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><a href=\"https:\/\/bcho.tistory.com\/1272\">tistory by \uc870\ub300\ud611<\/a><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"RBAC_%EA%B4%80%EB%A0%A8_%ED%94%8C%EB%9F%AC%EA%B7%B8%EC%9D%B8_%EB%B0%8F_%ED%99%95%EC%9D%B8_%EB%B0%A9%EB%B2%95\"><\/span>RBAC \uad00\ub828 \ud50c\ub7ec\uadf8\uc778 \ubc0f \ud655\uc778 \ubc29\ubc95<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"# \uc124\uce58\nkubectl krew install access-matrix rbac-tool rbac-view rolesum whoami\n\n# k8s \uc778\uc99d\ub41c \uc8fc\uccb4 \ud655\uc778\nkubectl whoami\narn:aws:iam::9112...:user\/admin\n\n# Show an RBAC access matrix for server resources\nkubectl access-matrix # Review access to cluster-scoped resources\nkubectl access-matrix --namespace default # Review access to namespaced resources in 'default'\n\n# RBAC Lookup by subject (user\/group\/serviceaccount) name\nkubectl rbac-tool lookup\nkubectl rbac-tool lookup system:masters\n  SUBJECT        | SUBJECT TYPE | SCOPE       | NAMESPACE | ROLE\n+----------------+--------------+-------------+-----------+---------------+\n  system:masters | Group        | ClusterRole |           | cluster-admin\n\nkubectl rbac-tool lookup system:nodes # eks:node-bootstrapper\nkubectl rbac-tool lookup system:bootstrappers # eks:node-bootstrapper\nkubectl describe ClusterRole eks:node-bootstrapper\n\n# RBAC List Policy Rules For subject (user\/group\/serviceaccount) name\nkubectl rbac-tool policy-rules\nkubectl rbac-tool policy-rules -e '^system:.*'\nkubectl rbac-tool policy-rules -e '^system:authenticated'\n\n# Generate ClusterRole with all available permissions from the target cluster\nkubectl rbac-tool show\n\n# Shows the subject for the current context with which one authenticates with the cluster\nkubectl rbac-tool whoami\n# Summarize RBAC roles for subjects : ServiceAccount(default), User, Group\nkubectl rolesum -h\nkubectl rolesum aws-node -n kube-system\nkubectl rolesum -k User system:kube-proxy\nkubectl rolesum -k Group system:masters\nkubectl rolesum -k Group system:authenticated\n# [\ud130\ubbf8\ub1101] A tool to visualize your RBAC permissions\nkubectl rbac-view\n## \uc774\ud6c4 \ud574\ub2f9 \uc791\uc5c5\uc6a9PC \uacf5\uc778 IP:8800 \uc6f9 \uc811\uc18d : \ucd5c\ucd08 \uc811\uc18d \ud6c4 \uc815\ubcf4 \uac00\uc838\uc624\ub294\ub370 \ub2e4\uc2dc \uc2dc\uac04 \uac78\ub9bc (2~3\ubd84 \uc815\ub3c4 \ud6c4 \ud654\uba74 \ucd9c\ub825\ub428) \necho -e &quot;RBAC View Web http:\/\/$(curl -s ipinfo.io\/ip):8800&quot;\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #616E88\"># \uc124\uce58<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">krew<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">install<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">access-matrix<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac-tool<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac-view<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rolesum<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">whoami<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># k8s \uc778\uc99d\ub41c \uc8fc\uccb4 \ud655\uc778<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">whoami<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">arn:aws:iam::9112...:user\/admin<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># Show an RBAC access matrix for server resources<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">access-matrix<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #616E88\"># Review access to cluster-scoped resources<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">access-matrix<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--namespace<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">default<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #616E88\"># Review access to namespaced resources in &#39;default&#39;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># RBAC Lookup by subject (user\/group\/serviceaccount) name<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac-tool<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">lookup<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac-tool<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">lookup<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">system:masters<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">SUBJECT<\/span><span style=\"color: #D8DEE9FF\">        <\/span><span style=\"color: #81A1C1\">|<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">SUBJECT<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">TYPE<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">|<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">SCOPE<\/span><span style=\"color: #D8DEE9FF\">       <\/span><span style=\"color: #81A1C1\">|<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">NAMESPACE<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">|<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">ROLE<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">+----------------+--------------+-------------+-----------+---------------+<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">system:masters<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">|<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">Group<\/span><span style=\"color: #D8DEE9FF\">        <\/span><span style=\"color: #81A1C1\">|<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">ClusterRole<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">|<\/span><span style=\"color: #D8DEE9FF\">           <\/span><span style=\"color: #81A1C1\">|<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">cluster-admin<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac-tool<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">lookup<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">system:nodes<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #616E88\"># eks:node-bootstrapper<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac-tool<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">lookup<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">system:bootstrappers<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #616E88\"># eks:node-bootstrapper<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">describe<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">ClusterRole<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">eks:node-bootstrapper<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># RBAC List Policy Rules For subject (user\/group\/serviceaccount) name<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac-tool<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">policy-rules<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac-tool<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">policy-rules<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-e<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">^system:.*<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac-tool<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">policy-rules<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-e<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">^system:authenticated<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># Generate ClusterRole with all available permissions from the target cluster<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac-tool<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">show<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># Shows the subject for the current context with which one authenticates with the cluster<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac-tool<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">whoami<\/span><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># Summarize RBAC roles for subjects : ServiceAccount(default), User, Group<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rolesum<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-h<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rolesum<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">aws-node<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-n<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">kube-system<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rolesum<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-k<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">User<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">system:kube-proxy<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rolesum<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-k<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">Group<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">system:masters<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rolesum<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-k<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">Group<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">system:authenticated<\/span><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># [\ud130\ubbf8\ub1101] A tool to visualize your RBAC permissions<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rbac-view<\/span><\/span>\n<span class=\"line\"><span style=\"color: #616E88\">## \uc774\ud6c4 \ud574\ub2f9 \uc791\uc5c5\uc6a9PC \uacf5\uc778 IP:8800 \uc6f9 \uc811\uc18d : \ucd5c\ucd08 \uc811\uc18d \ud6c4 \uc815\ubcf4 \uac00\uc838\uc624\ub294\ub370 \ub2e4\uc2dc \uc2dc\uac04 \uac78\ub9bc (2~3\ubd84 \uc815\ub3c4 \ud6c4 \ud654\uba74 \ucd9c\ub825\ub428) <\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">echo<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-e<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">RBAC View Web http:\/\/<\/span><span style=\"color: #ECEFF4\">$(<\/span><span style=\"color: #88C0D0\">curl<\/span><span style=\"color: #A3BE8C\"> -s ipinfo.io\/ip<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #A3BE8C\">:8800<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"724\" height=\"1024\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-405-724x1024.png\" alt=\"\" class=\"wp-image-1406\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-405-724x1024.png 724w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-405-212x300.png 212w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-405-768x1086.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-405-1086x1536.png 1086w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-405-1448x2048.png 1448w\" sizes=\"(max-width: 724px) 100vw, 724px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"STSSecurity_Token_Service_%EC%9E%84%EC%8B%9C_%EB%B3%B4%EC%95%88_%EC%9E%90%EA%B2%A9_%EC%A6%9D%EB%AA%85_%EC%83%9D%EC%84%B1\"><\/span>STS(Security Token Service) \uc784\uc2dc \ubcf4\uc548 \uc790\uaca9 \uc99d\uba85 \uc0dd\uc131<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"# testuser \uc0ac\uc6a9\uc790 \uc0dd\uc131\naws iam create-user --user-name testuser\n\n# \uc0ac\uc6a9\uc790\uc5d0\uac8c \ud504\ub85c\uadf8\ub798\ubc0d \ubc29\uc2dd \uc561\uc138\uc2a4 \uad8c\ud55c \ubd80\uc5ec\naws iam create-access-key --user-name testuser\n# testuser \uc0ac\uc6a9\uc790\uc5d0 \uc815\ucc45\uc744 \ucd94\uac00\naws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy\/AdministratorAccess --user-name testuser\n\n# get-caller-identity \ud655\uc778\naws sts get-caller-identity --query Arn\n# eksctl \uc0ac\uc6a9 &gt;&gt; iamidentitymapping \uc2e4\ud589 \uc2dc aws-auth \ucee8\ud53c\uadf8\ub9f5 \uc791\uc131\ud574\uc90c\n# Creates a mapping from IAM role or user to Kubernetes user and groups\neksctl get iamidentitymapping --cluster $CLUSTER_NAME\neksctl create iamidentitymapping --cluster $CLUSTER_NAME --username testuser --group system:masters --arn arn:aws:iam::$ACCOUNT_ID:user\/testuser\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #616E88\"># testuser \uc0ac\uc6a9\uc790 \uc0dd\uc131<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">aws<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">iam<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">create-user<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--user-name<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">testuser<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># \uc0ac\uc6a9\uc790\uc5d0\uac8c \ud504\ub85c\uadf8\ub798\ubc0d \ubc29\uc2dd \uc561\uc138\uc2a4 \uad8c\ud55c \ubd80\uc5ec<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">aws<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">iam<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">create-access-key<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--user-name<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">testuser<\/span><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># testuser \uc0ac\uc6a9\uc790\uc5d0 \uc815\ucc45\uc744 \ucd94\uac00<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">aws<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">iam<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">attach-user-policy<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--policy-arn<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">arn:aws:iam::aws:policy\/AdministratorAccess<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--user-name<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">testuser<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># get-caller-identity \ud655\uc778<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">aws<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">sts<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">get-caller-identity<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--query<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">Arn<\/span><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># eksctl \uc0ac\uc6a9 &gt;&gt; iamidentitymapping \uc2e4\ud589 \uc2dc aws-auth \ucee8\ud53c\uadf8\ub9f5 \uc791\uc131\ud574\uc90c<\/span><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># Creates a mapping from IAM role or user to Kubernetes user and groups<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">eksctl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">get<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">iamidentitymapping<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--cluster<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">$CLUSTER_NAME<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">eksctl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">create<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">iamidentitymapping<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--cluster<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">$CLUSTER_NAME<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--username<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">testuser<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--group<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">system:masters<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--arn<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">arn:aws:iam::<\/span><span style=\"color: #D8DEE9\">$ACCOUNT_ID<\/span><span style=\"color: #A3BE8C\">:user\/testuser<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"EC2_Instance_ProfileIAM_Role%EC%97%90_%EB%A7%B5%ED%95%91%EB%90%9C_k8s_rbac_%ED%99%95%EC%9D%B8\"><\/span>EC2 Instance Profile(IAM Role)\uc5d0 \ub9f5\ud551\ub41c k8s rbac \ud655\uc778<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"368\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-411-1024x368.png\" alt=\"\" class=\"wp-image-1412\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-411-1024x368.png 1024w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-411-300x108.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-411-768x276.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-411-1536x551.png 1536w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-411.png 2000w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"# awscli \ud30c\ub4dc \uc0dd\uc131\ncat &lt;&lt;EOF | kubectl create -f -\napiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: awscli-pod\nspec:\n  replicas: 2\n  selector:\n    matchLabels:\n      app: awscli-pod\n  template:\n    metadata:\n      labels:\n        app: awscli-pod\n    spec:\n      containers:\n      - name: awscli-pod\n        image: amazon\/aws-cli\n        command: [&quot;tail&quot;]\n        args: [&quot;-f&quot;, &quot;\/dev\/null&quot;]\n      terminationGracePeriodSeconds: 0\nEOF\n\n# \ud30c\ub4dc \uc0dd\uc131 \ud655\uc778\nkubectl get pod -owide\n\n# \ud30c\ub4dc \uc774\ub984 \ubcc0\uc218 \uc9c0\uc815\nAPODNAME1=$(kubectl get pod -l app=awscli-pod -o jsonpath={.items[0].metadata.name})\nAPODNAME2=$(kubectl get pod -l app=awscli-pod -o jsonpath={.items[1].metadata.name})\necho $APODNAME1, $APODNAME2\n\n# awscli \ud30c\ub4dc\uc5d0\uc11c EC2 InstanceProfile(IAM Role)\uc758 ARN \uc815\ubcf4 \ud655\uc778\nkubectl exec -it $APODNAME1 -- aws sts get-caller-identity --query Arn\nkubectl exec -it $APODNAME2 -- aws sts get-caller-identity --query Arn\n\n# awscli \ud30c\ub4dc\uc5d0\uc11c EC2 InstanceProfile(IAM Role)\uc744 \uc0ac\uc6a9\ud558\uc5ec AWS \uc11c\ube44\uc2a4 \uc815\ubcf4 \ud655\uc778 &gt;&gt; \ubcc4\ub3c4 IAM \uc790\uaca9 \uc99d\uba85\uc774 \uc5c6\ub294\ub370 \uc5b4\ub5bb\uac8c \uac00\ub2a5\ud55c \uac83\uc77c\uae4c\uc694?\n# &gt; \ucd5c\uc18c\uad8c\ud55c\ubd80\uc5ec \ud544\uc694!!! &gt;&gt;&gt; \ubcf4\uc548\uc774 \ud5c8\uc220\ud55c \uc544\ubb34 \ucee8\ud14c\uc774\ub108\ub098 \ud0c8\ucde8 \uc2dc, IMDS\ub85c \ud574\ub2f9 \ub178\ub4dc\uc758 IAM Role \uc0ac\uc6a9 \uac00\ub2a5!\nkubectl exec -it $APODNAME1 -- aws ec2 describe-instances --region ap-northeast-2 --output table --no-cli-pager\nkubectl exec -it $APODNAME2 -- aws ec2 describe-vpcs --region ap-northeast-2 --output table --no-cli-pager\n \n# EC2 \uba54\ud0c0\ub370\uc774\ud130 \ud655\uc778 : IDMSv1\uc740 Disable, IDMSv2 \ud65c\uc131\ud654 \uc0c1\ud0dc, IAM Role - \ub9c1\ud06c\nkubectl exec -it $APODNAME1 -- bash\n-----------------------------------\n#\uc544\ub798\ubd80\ud130\ub294 \ud30c\ub4dc\uc5d0 bash shell \uc5d0\uc11c \uc2e4\ud589\ncurl -s http:\/\/169.254.169.254\/ -v\n# Token \uc694\uccad \ncurl -s -X PUT &quot;http:\/\/169.254.169.254\/latest\/api\/token&quot; -H &quot;X-aws-ec2-metadata-token-ttl-seconds: 21600&quot; ; echo\ncurl -s -X PUT &quot;http:\/\/169.254.169.254\/latest\/api\/token&quot; -H &quot;X-aws-ec2-metadata-token-ttl-seconds: 21600&quot; ; echo\n\n# Token\uc744 \uc774\uc6a9\ud55c IMDSv2 \uc0ac\uc6a9\nTOKEN=$(curl -s -X PUT &quot;http:\/\/169.254.169.254\/latest\/api\/token&quot; -H &quot;X-aws-ec2-metadata-token-ttl-seconds: 21600&quot;)\necho $TOKEN\ncurl -s -H &quot;X-aws-ec2-metadata-token: $TOKEN&quot; \u2013v http:\/\/169.254.169.254\/ ; echo\ncurl -s -H &quot;X-aws-ec2-metadata-token: $TOKEN&quot; \u2013v http:\/\/169.254.169.254\/latest\/ ; echo\ncurl -s -H &quot;X-aws-ec2-metadata-token: $TOKEN&quot; \u2013v http:\/\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/ ; echo\n\n# \uc704\uc5d0\uc11c \ucd9c\ub825\ub41c IAM Role\uc744 \uc544\ub798 \uc785\ub825 \ud6c4 \ud655\uc778\ncurl -s -H &quot;X-aws-ec2-metadata-token: $TOKEN&quot; \u2013v http:\/\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/eksctl-myeks-nodegroup-ng1-NodeInstanceRole-1DC6Y2GRDAJHK\n## \ucd9c\ub825\ub41c \uc815\ubcf4\ub294 AWS API\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc788\ub294 \uc5b4\ub290\uacf3\uc5d0\uc11c\ub4e0\uc9c0 Expiration \ub418\uae30\uc804\uae4c\uc9c0 \uc0ac\uc6a9 \uac00\ub2a5\n\n# \ud30c\ub4dc\uc5d0\uc11c \ub098\uc624\uae30\nexit\n---\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #616E88\"># awscli \ud30c\ub4dc \uc0dd\uc131<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">cat<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">&lt;&lt;<\/span><span style=\"color: #ECEFF4\">EOF<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">|<\/span><span style=\"color: #D8DEE9FF\"> kubectl create -f -<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">apiVersion: apps\/v1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">kind: Deployment<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">metadata:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">  name: awscli-pod<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">spec:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">  replicas: 2<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">  selector:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">    matchLabels:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">      app: awscli-pod<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">  template:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">    metadata:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">      labels:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">        app: awscli-pod<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">    spec:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">      containers:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">      - name: awscli-pod<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">        image: amazon\/aws-cli<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">        command: [&quot;tail&quot;]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">        args: [&quot;-f&quot;, &quot;\/dev\/null&quot;]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">      terminationGracePeriodSeconds: 0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #ECEFF4\">EOF<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># \ud30c\ub4dc \uc0dd\uc131 \ud655\uc778<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">get<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">pod<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-owide<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># \ud30c\ub4dc \uc774\ub984 \ubcc0\uc218 \uc9c0\uc815<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9\">APODNAME1<\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #ECEFF4\">$(<\/span><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #A3BE8C\"> get pod -l app=awscli-pod -o jsonpath={.items[<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #A3BE8C\">].metadata.name}<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9\">APODNAME2<\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #ECEFF4\">$(<\/span><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #A3BE8C\"> get pod -l app=awscli-pod -o jsonpath={.items[<\/span><span style=\"color: #B48EAD\">1<\/span><span style=\"color: #A3BE8C\">].metadata.name}<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">echo<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">$APODNAME1<\/span><span style=\"color: #A3BE8C\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">$APODNAME2<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># awscli \ud30c\ub4dc\uc5d0\uc11c EC2 InstanceProfile(IAM Role)\uc758 ARN \uc815\ubcf4 \ud655\uc778<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">exec<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-it<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">$APODNAME1<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">aws<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">sts<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">get-caller-identity<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--query<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">Arn<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">exec<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-it<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">$APODNAME2<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">aws<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">sts<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">get-caller-identity<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--query<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">Arn<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># awscli \ud30c\ub4dc\uc5d0\uc11c EC2 InstanceProfile(IAM Role)\uc744 \uc0ac\uc6a9\ud558\uc5ec AWS \uc11c\ube44\uc2a4 \uc815\ubcf4 \ud655\uc778 &gt;&gt; \ubcc4\ub3c4 IAM \uc790\uaca9 \uc99d\uba85\uc774 \uc5c6\ub294\ub370 \uc5b4\ub5bb\uac8c \uac00\ub2a5\ud55c \uac83\uc77c\uae4c\uc694?<\/span><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># &gt; \ucd5c\uc18c\uad8c\ud55c\ubd80\uc5ec \ud544\uc694!!! &gt;&gt;&gt; \ubcf4\uc548\uc774 \ud5c8\uc220\ud55c \uc544\ubb34 \ucee8\ud14c\uc774\ub108\ub098 \ud0c8\ucde8 \uc2dc, IMDS\ub85c \ud574\ub2f9 \ub178\ub4dc\uc758 IAM Role \uc0ac\uc6a9 \uac00\ub2a5!<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">exec<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-it<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">$APODNAME1<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">aws<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">ec2<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">describe-instances<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--region<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">ap-northeast-2<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--output<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">table<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--no-cli-pager<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">exec<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-it<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">$APODNAME2<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">aws<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">ec2<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">describe-vpcs<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--region<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">ap-northeast-2<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--output<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">table<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--no-cli-pager<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># EC2 \uba54\ud0c0\ub370\uc774\ud130 \ud655\uc778 : IDMSv1\uc740 Disable, IDMSv2 \ud65c\uc131\ud654 \uc0c1\ud0dc, IAM Role - \ub9c1\ud06c<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">exec<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-it<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">$APODNAME1<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">bash<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">-----------------------------------<\/span><\/span>\n<span class=\"line\"><span style=\"color: #616E88\">#\uc544\ub798\ubd80\ud130\ub294 \ud30c\ub4dc\uc5d0 bash shell \uc5d0\uc11c \uc2e4\ud589<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">curl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-s<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">http:\/\/169.254.169.254\/<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-v<\/span><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># Token \uc694\uccad <\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">curl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-s<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-X<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">PUT<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">http:\/\/169.254.169.254\/latest\/api\/token<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-H<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">X-aws-ec2-metadata-token-ttl-seconds: 21600<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">echo<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">curl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-s<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-X<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">PUT<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">http:\/\/169.254.169.254\/latest\/api\/token<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-H<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">X-aws-ec2-metadata-token-ttl-seconds: 21600<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">echo<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># Token\uc744 \uc774\uc6a9\ud55c IMDSv2 \uc0ac\uc6a9<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9\">TOKEN<\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #ECEFF4\">$(<\/span><span style=\"color: #88C0D0\">curl<\/span><span style=\"color: #A3BE8C\"> -s -X PUT <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">http:\/\/169.254.169.254\/latest\/api\/token<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\"> -H <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">X-aws-ec2-metadata-token-ttl-seconds: 21600<\/span><span style=\"color: #ECEFF4\">&quot;)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">echo<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">$TOKEN<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">curl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-s<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-H<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">X-aws-ec2-metadata-token: <\/span><span style=\"color: #D8DEE9\">$TOKEN<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">\u2013v<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">http:\/\/169.254.169.254\/<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">echo<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">curl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-s<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-H<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">X-aws-ec2-metadata-token: <\/span><span style=\"color: #D8DEE9\">$TOKEN<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">\u2013v<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">http:\/\/169.254.169.254\/latest\/<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">echo<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">curl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-s<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-H<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">X-aws-ec2-metadata-token: <\/span><span style=\"color: #D8DEE9\">$TOKEN<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">\u2013v<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">http:\/\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">echo<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># \uc704\uc5d0\uc11c \ucd9c\ub825\ub41c IAM Role\uc744 \uc544\ub798 \uc785\ub825 \ud6c4 \ud655\uc778<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">curl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-s<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-H<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">X-aws-ec2-metadata-token: <\/span><span style=\"color: #D8DEE9\">$TOKEN<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">\u2013v<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">http:\/\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/eksctl-myeks-nodegroup-ng1-NodeInstanceRole-1DC6Y2GRDAJHK<\/span><\/span>\n<span class=\"line\"><span style=\"color: #616E88\">## \ucd9c\ub825\ub41c \uc815\ubcf4\ub294 AWS API\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc788\ub294 \uc5b4\ub290\uacf3\uc5d0\uc11c\ub4e0\uc9c0 Expiration \ub418\uae30\uc804\uae4c\uc9c0 \uc0ac\uc6a9 \uac00\ub2a5<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># \ud30c\ub4dc\uc5d0\uc11c \ub098\uc624\uae30<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">exit<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">---<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"162\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-413-1024x162.png\" alt=\"\" class=\"wp-image-1414\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-413-1024x162.png 1024w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-413-300x48.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-413-768x122.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-413-1536x243.png 1536w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-413.png 1830w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"EKS_IMDS_IRSA_Pod_Identity\"><\/span>EKS IMDS &amp; IRSA &amp; Pod Identity<span class=\"ez-toc-section-end\"><\/span><\/h1>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IMDSInstances_Meta_Data_Service\"><\/span>IMDS(Instances Meta Data Service)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-3\">\n<div class=\"wp-block-column is-layout-flow\" style=\"flex-basis:66.66%\">\n<ul>\n<li>\uc778\uc2a4\ud134\uc2a4\uc5d0 \ub300\ud55c \ub370\uc774\ud130\ub97c \ubcf4\uc720\ud55c \uc11c\ube44\uc2a4\n<ul>\n<li>\uc778\uc2a4\ud134\uc2a4\uc5d0 \uc0ac\uc6a9\ub41c AMI ID (\/latest\/meta-data\/ami-id)<\/li>\n\n\n\n<li>\uc778\uc2a4\ud134\uc2a4 \ud504\ub85c\ud30c\uc77c\uc5d0 \ub300\ud55c \uc815\ubcf4 (\/latest\/meta-data\/iam\/info)<\/li>\n\n\n\n<li>\uc778\uc2a4\ud134\uc2a4 \uc790\uaca9 \uc99d\uba85 \ubb38\uc11c (\/latest\/dynamic\/instance-identity\/document, pkcs7, signature)<\/li>\n\n\n\n<li>Vault \ub97c \ud1b5\ud55c EC2 \uc778\uc99d \ub4f1\uc5d0 \uc0ac\uc6a9<\/li>\n\n\n\n<li>Systems Manager \uae30\ubcf8 \ud638\uc2a4\ud2b8 \uad00\ub9ac \uad6c\uc131, GuardDuty \ub7f0\ud0c0\uc784 \ubaa8\ub2c8\ud130\ub9c1 \ub4f1 \uc0ac\uc6a9\uc744 \uc704\ud55c \uc778\uc2a4\ud134\uc2a4 \uc790\uccb4 \uc790\uaca9 \uc99d\uba85 (\uad8c\ud55c \uc5c6\uc74c) (latest\/meta-data\/identity-credentials\/ec2\/security-credentials\/ec2-instance)<\/li>\n\n\n\n<li>\uc778\uc2a4\ud134\uc2a4 \ud504\ub85c\ud30c\uc77c\uc758 \uc784\uc2dc \uc790\uaca9 \uc99d\uba85 (latest\/meta-data\/iam\/security-credentials\/role-name)<\/li>\n\n\n\n<li>Userdata (\/latest\/user-data)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow\" style=\"flex-basis:33.33%\">\n<p><strong>\ub3d9\uc791\ubc29\uc2dd<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"495\" height=\"401\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-416.png\" alt=\"\" class=\"wp-image-1417\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-416.png 495w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-416-300x243.png 300w\" sizes=\"(max-width: 495px) 100vw, 495px\" \/><\/figure>\n<\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IMDSv1\"><\/span>IMDSv1<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-6\">\n<div class=\"wp-block-column is-layout-flow\" style=\"flex-basis:66.66%\">\n<ol>\n<li>IMDSv1 \uc744 \uc0ac\uc6a9\ud55c\ub2e4\ub294 \uac83\uc774 IMDSv2 \ub97c \uc0ac\uc6a9\ud558\uc9c0 \ubabb\ud558\ub294 \uac83\uc740 \uc544\ub2d8<br>a. \uba54\ud0c0\ub370\uc774\ud130 \uc0ac\uc6a9 (http-endpoint: enabled) \uc124\uc815 \uc2dc, IMDS \ubc84\uc804 \uc120\ud0dd\uc740 \uc120\ud0dd\uc801\uc784 (http-tokens: optional)<br>b. \uae30\ubcf8\uc801\uc73c\ub85c IMDSv1, IMDSv2 \ubaa8\ub450 \uc0ac\uc6a9 \uac00\ub2a5 \uc0c1\ud0dc<\/li>\n\n\n\n<li>\ub2e4\ub9cc, 2022\ub144 10\uc6d4 \ubd80\ud130 \uc778\uc2a4\ud134\uc2a4 \uc2e4\ud589 \uc2dc IMDSv2 \uac00 \uae30\ubcf8\uc73c\ub85c \uc124\uc815\ub428<br>a. http-tokens: required<\/li>\n\n\n\n<li>HTTP GET \uba54\uc18c\ub4dc\ub97c \ud1b5\ud55c \u201c\uc694\uccad\/\uc751\ub2f5\u201d \ubc29\uc2dd\uc73c\ub85c, \ubcc4\ub3c4\uc758 \ud1a0\ud070 \ubc1c\uae09 \ud544\uc694\uc5c6\uc774<br>\uc694\uccad\ub9cc \ud560 \uc218 \uc788\ub2e4\uba74 \uc784\uc2dc\uc790\uaca9\uc99d\uba85\uc744 \ud68d\ub4dd \uac00\ub2a5<\/li>\n<\/ol>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow\" style=\"flex-basis:33.33%\">\n<p><strong>\ub3d9\uc791\ubc29\uc2dd<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"641\" height=\"391\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-417.png\" alt=\"\" class=\"wp-image-1418\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-417.png 641w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-417-300x183.png 300w\" sizes=\"(max-width: 641px) 100vw, 641px\" \/><\/figure>\n<\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IMDSv2\"><\/span>IMDSv2<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-9\">\n<div class=\"wp-block-column is-layout-flow\" style=\"flex-basis:66.66%\">\n<ol>\n<li>IMDSv2 \uc0ac\uc6a9\uc744 \uac15\uc81c\ud558\uac8c \ub418\uba74, IMDSv1 \ubc29\uc2dd\uc73c\ub85c \uc694\uccad\uc774 \ubd88\uac00<br>a. IMDS \ubc84\uc804 \uc120\ud0dd \uac15\uc81c (http-tokens: required)<\/li>\n\n\n\n<li>HTTP PUT \uba54\uc18c\ub4dc\ub97c \ud1b5\ud574 \uc138\uc158\ud1a0\ud070\uc744 \ubc1b\uace0, \ud574\ub2f9 \uc138\uc158\ud1a0\ud070\uc744 GET \uba54\uc18c\ub4dc\uc758<br>\ud5e4\ub354\uc5d0 \ucd94\uac00\ud558\uc5ec \uc784\uc2dc\uc790\uaca9\uc99d\uba85\uc744 \ud68d\ub4dd \uac00\ub2a5<br>a. IMDSv1 \uacfc \ub2ec\ub9ac \u201c\uc138\uc158 \uc9c0\ud5a5&#8221; \ubc29\uc2dd\uc774\ub77c\uace0 \ud568<\/li>\n\n\n\n<li>\uc774\uc678\uc5d0\ub3c4 \ub2e4\uc591\ud55c \ubcf4\uc548\uc801 \uc774\uc810\uc744 \ub204\ub9b4 \uc218 \uc788\uc74c<br>a. GET \uba54\uc18c\ub4dc\ub97c \ud1b5\ud55c SSRF (Server Side Request Forgery) \ubc29\uc9c0 (\uc138\uc158\ud1a0\ud070\uc774 \uc788\uc5b4\uc57c \ud558\ub2c8\uae4c)<br>b. X-Forwarded-For \ud5e4\ub354 \ud3ec\ud568\ub41c \uc694\uccad\uc5d0 \ub300\ud55c \uc138\uc158\ud1a0\ud070 \ubbf8\ubc1c\uae09<\/li>\n<\/ol>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow\" style=\"flex-basis:33.33%\">\n<p><strong>\ub3d9\uc791 \ubc29\uc2dd<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"929\" height=\"313\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-418.png\" alt=\"\" class=\"wp-image-1419\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-418.png 929w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-418-300x101.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-418-768x259.png 768w\" sizes=\"(max-width: 929px) 100vw, 929px\" \/><\/figure>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IRSAIAM_Roles_for_Service_Accounts\"><\/span>IRSA(IAM Roles for Service Accounts)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul>\n<li>Pod \ub0b4\ubd80 \uc5b4\ud50c\ub9ac\ucf00\uc774\uc158 \ucee8\ud14c\uc774\ub108\uac00 \uc5ed\ud560\uc744 \uc0ac\uc6a9\ud560 \uc218 \uc788\uac8c \ud574\uc8fc\ub294 \uae30\ub2a5<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-12\">\n<div class=\"wp-block-column is-layout-flow\">\n<p><strong>IRSA\uac00 \uc5c6\uc5c8\uc744\ub54c<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"548\" height=\"394\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-419.png\" alt=\"\" class=\"wp-image-1420\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-419.png 548w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-419-300x216.png 300w\" sizes=\"(max-width: 548px) 100vw, 548px\" \/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow\">\n<p><strong>IRSA \uc801\uc6a9 \uc774\ud6c4<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"403\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-423.png\" alt=\"\" class=\"wp-image-1424\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-423.png 800w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-423-300x151.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-423-768x387.png 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n<\/div>\n<\/div>\n\n\n\n<p><strong>\ub3d9\uc791\ubc29\uc2dd<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"881\" height=\"495\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-425.png\" alt=\"\" class=\"wp-image-1426\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-425.png 881w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-425-300x169.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-425-768x432.png 768w\" sizes=\"(max-width: 881px) 100vw, 881px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"EKS_Pod_Identity\"><\/span>EKS Pod Identity<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul>\n<li>IRSA\uc640 \ub2ec\ub9ac \uc678\ubd80 \ub2e8\uc77c \uc9c0\uc810\uc5d0\uc11c Pod\uc774 \uc5ed\ud560\uc744 \uc0ac\uc6a9\ud560 \uc218 \uc788\ub3c4\ub85d \ud558\ub294 \uae30\ub2a5<\/li>\n\n\n\n<li>\uae30\uc874\uc5d0 ECS\uc5d0\uc11c \uc0ac\uc6a9\ud558\ub358 \ubc29\uc2dd\uc744 \ub3c4\uc785<\/li>\n\n\n\n<li>Kubernetes 1.24 \ubc84\uc804 \uc774\uc0c1\uc744 \uc0ac\uc6a9<\/li>\n<\/ul>\n\n\n\n<p><strong>\ub3d9\uc791\ubc29\uc2dd<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"552\" height=\"472\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-430.png\" alt=\"\" class=\"wp-image-1431\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-430.png 552w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-430-300x257.png 300w\" sizes=\"(max-width: 552px) 100vw, 552px\" \/><\/figure>\n\n\n\n<ol>\n<li><strong>\ub9c1\ud06c \ub85c\uceec \uc8fc\uc18c\uc640 EC2\uc758 IMDS\uc758 \uc720\uc0ac\uc131<\/strong>:\n<ul>\n<li>\ub9c1\ud06c \ub85c\uceec \uc8fc\uc18c\ub294 EC2\uc758 \uc778\uc2a4\ud134\uc2a4 \uba54\ud0c0\ub370\uc774\ud130 \uc11c\ube44\uc2a4 (Instance Metadata Service, IMDS)\uc640 \uc720\uc0ac\ud55c \uc5ed\ud560\uc744 \ud569\ub2c8\ub2e4. IMDS\ub294 EC2 \uc778\uc2a4\ud134\uc2a4\uc5d0\uc11c \uc2e4\ud589\ub418\ub294 \uba54\ud0c0\ub370\uc774\ud130\uc5d0 \uc561\uc138\uc2a4\ud560 \uc218 \uc788\ub294 \uc5d4\ub4dc\ud3ec\uc778\ud2b8\uc785\ub2c8\ub2e4. \ub9c1\ud06c \ub85c\uceec \uc8fc\uc18c\ub3c4 \ub85c\uceec \ub124\ud2b8\uc6cc\ud06c \uc778\ud130\ud398\uc774\uc2a4\ub97c \ud1b5\ud574 \uc778\uc2a4\ud134\uc2a4\uc758 \uba54\ud0c0\ub370\uc774\ud130\uc5d0 \uc811\uadfc\ud560 \uc218 \uc788\ub294 \uc5ed\ud560\uc744 \ud569\ub2c8\ub2e4.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\uc5b4\ub5a4 \ubc29\uc2dd\uc73c\ub85c \uc811\uadfc\ub418\ub294\uc9c0<\/strong>:\n<ul>\n<li>\uc774 \ub9c1\ud06c \ub85c\uceec \uc8fc\uc18c\ub294 \ubaa8\ub4e0 EC2 \uc778\uc2a4\ud134\uc2a4\uc5d0\uc11c \uc624\ud508\ub418\uc5b4 \uc788\ub294 \uac83\uc774 \uc544\ub2c8\uba70, Capabilities\uc640 \ub124\ud2b8\uc6cc\ud06c \uc778\ud130\ud398\uc774\uc2a4\uc758 \uc870\ud569\uc73c\ub85c \uc81c\ud55c\ub429\ub2c8\ub2e4. \uc989, \ud2b9\uc815 Capabilities\uc640 \ub124\ud2b8\uc6cc\ud06c \uc778\ud130\ud398\uc774\uc2a4\uc5d0\ub9cc \ud574\ub2f9 \uc8fc\uc18c\uac00 \uc624\ud508\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n\n\n\n<li>\uc608\ub97c \ub4e4\uc5b4, 80 \ud3ec\ud2b8\ub97c \uc5f4\uc5c8\uc744 \ub54c \ud574\ub2f9 \ub124\ud2b8\uc6cc\ud06c \uc778\ud130\ud398\uc774\uc2a4\uc5d0 \ub9c1\ud06c \ub85c\uceec \uc8fc\uc18c\uac00 \ubc14\uc778\ub529\ub429\ub2c8\ub2e4. \uc774\ub294 \ud2b9\uc815 \ub124\ud2b8\uc6cc\ud06c \uc778\ud130\ud398\uc774\uc2a4\uc5d0\ub9cc \uc811\uadfc\uc774 \uac00\ub2a5\ud558\uace0, \ubaa8\ub4e0 EC2 \uc778\uc2a4\ud134\uc2a4\uc5d0\uc11c \uc774 \uc8fc\uc18c\uc5d0 \uc811\uadfc\ud560 \uc218 \uc788\ub294 \uac83\uc740 \uc544\ub2d9\ub2c8\ub2e4.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-15\">\n<div class=\"wp-block-column is-layout-flow\" style=\"flex-basis:66.66%\">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"634\" height=\"170\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-432.png\" alt=\"\" class=\"wp-image-1433\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-432.png 634w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-432-300x80.png 300w\" sizes=\"(max-width: 634px) 100vw, 634px\" \/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow\" style=\"flex-basis:33.33%\">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"269\" height=\"315\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-431.png\" alt=\"\" class=\"wp-image-1432\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-431.png 269w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-431-256x300.png 256w\" sizes=\"(max-width: 269px) 100vw, 269px\" \/><\/figure>\n<\/div>\n<\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1022\" height=\"1024\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-433-1022x1024.png\" alt=\"\" class=\"wp-image-1434\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-433-1022x1024.png 1022w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-433-300x300.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-433-150x150.png 150w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-433-768x770.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-433-1533x1536.png 1533w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-433-65x65.png 65w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-433.png 1820w\" sizes=\"(max-width: 1022px) 100vw, 1022px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"844\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-435-1024x844.png\" alt=\"\" class=\"wp-image-1436\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-435-1024x844.png 1024w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-435-300x247.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-435-768x633.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-435-1536x1266.png 1536w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-435.png 2000w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%EC%8B%A4%EC%8A%B5\"><\/span>\uc2e4\uc2b5<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-437-1024x560.png\" alt=\"\" class=\"wp-image-1438\" width=\"1024\" height=\"560\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-437-1024x560.png 1024w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-437-300x164.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-437-768x420.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-437-1536x839.png 1536w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-437.png 1828w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-18\">\n<div class=\"wp-block-column is-layout-flow\">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"649\" height=\"1024\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-441-649x1024.png\" alt=\"\" class=\"wp-image-1442\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-441-649x1024.png 649w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-441-190x300.png 190w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-441-768x1211.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-441-974x1536.png 974w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-441.png 1007w\" sizes=\"(max-width: 649px) 100vw, 649px\" \/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow\">\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-442-787x1024.png\" alt=\"\" class=\"wp-image-1443\" width=\"787\" height=\"1024\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-442-787x1024.png 787w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-442-231x300.png 231w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-442-768x1000.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-442.png 952w\" sizes=\"(max-width: 787px) 100vw, 787px\" \/><\/figure>\n<\/div>\n<\/div>\n\n\n\n<p><strong>\uacb0\uacfc<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"992\" height=\"236\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-443.png\" alt=\"\" class=\"wp-image-1444\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-443.png 992w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-443-300x71.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-443-768x183.png 768w\" sizes=\"(max-width: 992px) 100vw, 992px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"OWASP_Kubernetes_Top_Ten\"><\/span>OWASP Kubernetes Top Ten<span class=\"ez-toc-section-end\"><\/span><\/h1>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"574\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-447-1024x574.png\" alt=\"\" class=\"wp-image-1448\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-447-1024x574.png 1024w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-447-300x168.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-447-768x430.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-447-1536x861.png 1536w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-447.png 1920w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>OWASP\ub294 &#8220;Open Web Application Security Project&#8221;\uc758 \uc57d\uc790\ub85c, \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ubcf4\uc548\uc5d0 \ub300\ud55c \uc815\ubcf4\ub97c \uc81c\uacf5\ud558\uace0 \ubcf4\uc548 \ucde8\uc57d\uc810\uc744 \uc2dd\ubcc4\ud558\uace0 \ud574\uacb0\ud558\uae30 \uc704\ud55c \ube44\uc601\ub9ac \ub2e8\uccb4\uc785\ub2c8\ub2e4. OWASP\ub294 \uc804 \uc138\uacc4\uc758 \ubcf4\uc548 \uc804\ubb38\uac00\ub4e4\uc774 \ubaa8\uc5ec \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ubcf4\uc548\uc744 \uac1c\uc120\ud558\uae30 \uc704\ud574 \ub178\ub825\ud558\uace0 \uc788\ub294 \uacf5\ub3d9\uccb4\uc785\ub2c8\ub2e4. OWASP\ub294 \ub2e4\uc591\ud55c \ubcf4\uc548 \ucde8\uc57d\uc810, \ubcf4\uc548 \ucde8\uc57d\uc810\uc5d0 \ub300\ud55c \ub300\uc751 \ubc29\ubc95, \ubcf4\uc548 \ub3c4\uad6c \ubc0f \uc790\ub8cc \ub4f1\uc744 \uc81c\uacf5\ud558\uc5ec \uac1c\ubc1c\uc790, \ubcf4\uc548 \uc804\ubb38\uac00 \ubc0f \uc870\uc9c1\uc774 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ubcf4\uc548\uc744 \ud5a5\uc0c1\uc2dc\ud0a4\ub3c4\ub85d \ub3d5\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n<p>OWASP\ub294 \uc8fc\ub85c \ub2e4\uc74c\uacfc \uac19\uc740 \ud65c\ub3d9\uc744 \uc218\ud589\ud569\ub2c8\ub2e4:<\/p>\n\n\n\n<ol>\n<li><strong>\ubcf4\uc548 \ucde8\uc57d\uc810 \ubaa9\ub85d<\/strong>: OWASP Top 10\uacfc \uac19\uc740 \ubcf4\uc548 \ucde8\uc57d\uc810 \ubaa9\ub85d\uc744 \uc791\uc131\ud558\uace0 \uc720\uc9c0\ubcf4\uc218\ud569\ub2c8\ub2e4. \uc774 \ubaa9\ub85d\uc740 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc5d0\uc11c \uac00\uc7a5 \uc77c\ubc18\uc801\uc73c\ub85c \ubc1c\uacac\ub418\ub294 \ubcf4\uc548 \ucde8\uc57d\uc810\uc744 \ub098\uc5f4\ud558\uace0 \uc124\uba85\ud558\uc5ec \uac1c\ubc1c\uc790\uc640 \ubcf4\uc548 \uc804\ubb38\uac00\uac00 \uc774\ub97c \uc778\uc9c0\ud558\uace0 \ub300\uc751\ud560 \uc218 \uc788\ub3c4\ub85d \ub3d5\uc2b5\ub2c8\ub2e4.<\/li>\n\n\n\n<li><strong>\ubcf4\uc548 \uac00\uc774\ub4dc<\/strong>: OWASP\ub294 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ubcf4\uc548\uc744 \uc704\ud55c \ub2e4\uc591\ud55c \uac00\uc774\ub4dc\uc640 \uc790\ub8cc\ub97c \uc81c\uacf5\ud569\ub2c8\ub2e4. \uc774 \uac00\uc774\ub4dc\uc5d0\ub294 \ubcf4\uc548 \ucde8\uc57d\uc810\uc744 \uc2dd\ubcc4\ud558\uace0 \uc608\ubc29\ud558\ub294 \ubc29\ubc95, \ubcf4\uc548 \ud14c\uc2a4\ud2b8\ub97c \uc218\ud589\ud558\ub294 \ubc29\ubc95, \ubcf4\uc548 \ud504\ub808\uc784\uc6cc\ud06c \ubc0f \ub3c4\uad6c \uc0ac\uc6a9 \ubc29\ubc95 \ub4f1\uc774 \ud3ec\ud568\ub429\ub2c8\ub2e4.<\/li>\n\n\n\n<li><strong>\ubcf4\uc548 \ub3c4\uad6c \ubc0f \ud504\ub85c\uc81d\ud2b8<\/strong>: OWASP\ub294 \ub2e4\uc591\ud55c \ubcf4\uc548 \ub3c4\uad6c\uc640 \ud504\ub85c\uc81d\ud2b8\ub97c \uac1c\ubc1c\ud558\uace0 \uc720\uc9c0\ubcf4\uc218\ud569\ub2c8\ub2e4. \uc774 \ub3c4\uad6c\uc640 \ud504\ub85c\uc81d\ud2b8\ub294 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ubcf4\uc548\uc744 \ud5a5\uc0c1\uc2dc\ud0a4\ub294 \ub370 \ub3c4\uc6c0\uc774 \ub418\uba70, \ucde8\uc57d\uc810 \uc2a4\uce90\ub108, \ubcf4\uc548 \ud5e4\ub354 \uc0dd\uc131\uae30, \ubcf4\uc548 \uad50\uc721 \uc790\ub8cc \ub4f1\uc774 \ud3ec\ud568\ub429\ub2c8\ub2e4.<\/li>\n\n\n\n<li><strong>\uad50\uc721 \ubc0f \ucee8\ud37c\ub7f0\uc2a4<\/strong>: OWASP\ub294 \ubcf4\uc548 \ucee8\ud37c\ub7f0\uc2a4 \ubc0f \uc6cc\ud06c\uc0f5\uc744 \uc8fc\uad00\ud558\uace0 \ubcf4\uc548 \uad50\uc721 \uc790\ub8cc\ub97c \uc81c\uacf5\ud558\uc5ec \uac1c\ubc1c\uc790\uc640 \ubcf4\uc548 \uc804\ubb38\uac00\uac00 \ubcf4\ub2e4 \uc548\uc804\ud55c \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc744 \uac1c\ubc1c\ud558\uace0 \uc6b4\uc601\ud560 \uc218 \uc788\ub3c4\ub85d \uc9c0\uc6d0\ud569\ub2c8\ub2e4.<\/li>\n<\/ol>\n\n\n\n<h1 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"kyverno\"><\/span>kyverno<span class=\"ez-toc-section-end\"><\/span><\/h1>\n\n\n\n<p>Kyverno\ub294 Kubernetes\ub97c \uc704\ud574 \ud2b9\ubcc4\ud788 \uc124\uacc4\ub41c \uc815\ucc45 \uc5d4\uc9c4\uc73c\ub85c, CNCF \ud504\ub85c\uc81d\ud2b8\ub85c\uc11c \ud300\uc774 \ud611\uc5c5\ud558\uace0 \uc815\ucc45\uc744 \ucf54\ub4dc\ub85c \uac15\uc81c\ud560 \uc218 \uc788\ub3c4\ub85d \ud574\uc90d\ub2c8\ub2e4. \uc774\ub97c \ud1b5\ud574 Kubernetes \ub9ac\uc18c\uc2a4\ub97c YAML\ub85c \uc120\uc5b8\uc801\uc73c\ub85c \uc815\uc758\ud560 \uc218 \uc788\uc73c\uba70, \ubcc4\ub3c4\uc758 \uc815\ucc45 \uc5b8\uc5b4\ub97c \ubc30\uc6b8 \ud544\uc694\uac00 \uc5c6\uc2b5\ub2c8\ub2e4. Kyverno\ub97c \uc0ac\uc6a9\ud558\uba74 \uc815\ucc45\uc744 Kubernetes \ub9ac\uc18c\uc2a4\ub85c \uc27d\uac8c \uc791\uc131\ud560 \uc218 \uc788\uc73c\uba70, \uacb0\uacfc\ub294 Kubernetes \ub9ac\uc18c\uc2a4 \ubc0f \uc774\ubca4\ud2b8\ub85c \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ub610\ud55c Kyverno \uc815\ucc45\uc744 \uc0ac\uc6a9\ud558\uc5ec \ub9ac\uc18c\uc2a4\ub97c \uac80\uc99d, \ubcc0\ud615 \ubc0f \uc0dd\uc131\ud560 \uc218 \uc788\uc73c\uba70, \uc774\ubbf8\uc9c0 \uc11c\uba85 \ubc0f \uc778\uc99d\uc744 \uac80\uc99d\ud558\uc5ec \uc644\uc804\ud55c \uc18c\ud504\ud2b8\uc6e8\uc5b4 \uacf5\uae09 \uc0ac\uc2ac \ubcf4\uc548 \ud45c\uc900\uc744 \uc900\uc218\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ub610\ud55c Kyverno \uc815\ucc45\uc740 \ub9ac\uc18c\uc2a4 \uc885\ub958, \uc774\ub984, \ub808\uc774\ube14 \uc120\ud0dd\uae30 \ub4f1\uc744 \uc0ac\uc6a9\ud558\uc5ec \ub9ac\uc18c\uc2a4\ub97c \uc77c\uce58\uc2dc\ud0ac \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n<p>Kyverno\uc758 \uae30\ub2a5\uc740 \ub2e4\uc74c\uacfc \uac19\uc2b5\ub2c8\ub2e4:<\/p>\n\n\n\n<ul>\n<li>\uc815\ucc45\uc744 Kubernetes \ub9ac\uc18c\uc2a4\ub85c \uc0ac\uc6a9\ud558\uc5ec \uac80\uc99d, \ubcc0\ud615, \uc0dd\uc131 \ub610\ub294 \uc815\ub9ac\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n\n\n\n<li>\uc18c\ud504\ud2b8\uc6e8\uc5b4 \uacf5\uae09 \uc0ac\uc2ac \ubcf4\uc548\uc744 \uc704\ud574 \ucee8\ud14c\uc774\ub108 \uc774\ubbf8\uc9c0\ub97c \ud655\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n\n\n\n<li>\uc774\ubbf8\uc9c0 \uba54\ud0c0\ub370\uc774\ud130\ub97c \uac80\uc0ac\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n\n\n\n<li>\ub808\uc774\ube14 \uc120\ud0dd\uae30 \ubc0f \uc640\uc77c\ub4dc\uce74\ub4dc\ub97c \uc0ac\uc6a9\ud558\uc5ec \ub9ac\uc18c\uc2a4\ub97c \uc77c\uce58\uc2dc\ud0ac \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n\n\n\n<li>Kustomize\uc640 \uc720\uc0ac\ud55c \ubc29\uc2dd\uc73c\ub85c \uc624\ubc84\ub808\uc774\ub97c \uc0ac\uc6a9\ud558\uc5ec \uac80\uc99d \ubc0f \ubcc0\ud615\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n\n\n\n<li>Namespace \uac04\uc5d0 \uad6c\uc131\uc744 \ub3d9\uae30\ud654\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n\n\n\n<li>\uac70\ubd80\ub41c \ub9ac\uc18c\uc2a4\ub97c \ucc28\ub2e8\ud558\uac70\ub098 \uc815\ucc45 \uc704\ubc18\uc744 \ubcf4\uace0\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n\n\n\n<li>\uc790\uccb4 \uc11c\ube44\uc2a4 \ubcf4\uace0\uc11c \ubc0f \uc815\ucc45 \uc608\uc678\ub97c \uc0dd\uc131\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n\n\n\n<li>Kyverno CLI\ub97c \uc0ac\uc6a9\ud558\uc5ec \uc815\ucc45\uc744 \ud14c\uc2a4\ud2b8\ud558\uace0 CI\/CD \ud30c\uc774\ud504\ub77c\uc778\uc5d0\uc11c \ub9ac\uc18c\uc2a4\ub97c \uc720\ud6a8\uc131 \uac80\uc0ac\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n\n\n\n<li>git \ubc0f kustomize\uc640 \uac19\uc740 \uc775\uc219\ud55c \ub3c4\uad6c\ub97c \uc0ac\uc6a9\ud558\uc5ec \uc815\ucc45\uc744 \ucf54\ub4dc\ub85c \uad00\ub9ac\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n<\/ul>\n\n\n\n<p>Kyverno\ub294 \ub3d9\uc801 Admission Control\ub85c \uc2e4\ud589\ub418\uba70, Mutating\/Validating Admission\uc5d0\uc11c \uc791\ub3d9\ud558\uc5ec \ud5c8\uc6a9\/\uac70\ubd80 \uacb0\uacfc\ub97c \ubc18\ud658\ud569\ub2c8\ub2e4. <br>\uc8fc\uc694 \uad6c\uc131 \uc694\uc18c\ub294 Webhook Server \ubc0f Webhook Controller\uc785\ub2c8\ub2e4. Webhook Server\ub294 Kubernetes API \uc11c\ubc84\uc5d0\uc11c \uc218\uc2e0\ub41c AdmissionReview \uc694\uccad\uc744 \ucc98\ub9ac\ud558\uace0 Engine\uc73c\ub85c \ubcf4\ub0c5\ub2c8\ub2e4. \uc774\ub294 Webhook Controller\uc5d0 \uc758\ud574 \ub3d9\uc801\uc73c\ub85c \uad6c\uc131\ub418\uba70, \uc124\uce58\ub41c \uc815\ucc45\uc744 \uac10\uc2dc\ud558\uace0 \ud574\ub2f9 \uc815\ucc45\uacfc \uc77c\uce58\ud558\ub294 \ub9ac\uc18c\uc2a4\ub9cc \uc694\uccad\ud558\ub3c4\ub85d \uc6f9\ud6c5\uc744 \uc218\uc815\ud569\ub2c8\ub2e4. Cert Renewer\ub294 \uc6f9\ud6c5\uc5d0 \ud544\uc694\ud55c \uc778\uc99d\uc11c\ub97c \uac10\uc2dc\ud558\uace0 \uac31\uc2e0\ud558\ub294 \uc5ed\ud560\uc744 \ud569\ub2c8\ub2e4. Background Controller\ub294 UpdateRequests\ub97c \uc870\uc815\ud558\uc5ec \uc0dd\uc131 \ubc0f \uae30\uc874 \uc815\ucc45\uc744 \ucc98\ub9ac\ud569\ub2c8\ub2e4. Report Controllers\ub294 \uc911\uac04 \ub9ac\uc18c\uc2a4\uc5d0\uc11c Policy Reports\uc758 \uc0dd\uc131 \ubc0f \uc870\uc815\uc744 \ucc98\ub9ac\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"527\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-448-1024x527.png\" alt=\"\" class=\"wp-image-1449\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-448-1024x527.png 1024w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-448-300x155.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-448-768x396.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-448-1536x791.png 1536w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-448.png 1920w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"583\" height=\"1024\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-450-583x1024.png\" alt=\"\" class=\"wp-image-1451\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-450-583x1024.png 583w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-450-171x300.png 171w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-450-768x1348.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-450-875x1536.png 875w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-450.png 968w\" sizes=\"(max-width: 583px) 100vw, 583px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"499\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-452-1024x499.png\" alt=\"\" class=\"wp-image-1453\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-452-1024x499.png 1024w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-452-300x146.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-452-768x374.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-452-1536x749.png 1536w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-452-2048x998.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Pod_Container_Security_context\"><\/span>Pod \/ Container Security context<span class=\"ez-toc-section-end\"><\/span><\/h1>\n\n\n\n<p>\ud30c\ub4dc\uc640 \ucee8\ud14c\uc774\ub108\uc758 \ubcf4\uc548 \ucee8\ud14d\uc2a4\ud2b8\ub294 Kubernetes\uc5d0\uc11c \uc2e4\ud589\ub418\ub294 \uc6cc\ud06c\ub85c\ub4dc\uc758 \ubcf4\uc548 \uad00\ub828 \ud658\uacbd \ubc0f \uc124\uc815\uc744 \uc758\ubbf8\ud569\ub2c8\ub2e4. \uc774\ub294 \ud30c\ub4dc \ub0b4\ubd80\uc758 \uac01 \ucee8\ud14c\uc774\ub108\uc5d0 \uc801\uc6a9\ub418\ub294 \ubcf4\uc548 \uad00\ub828 \uc124\uc815\uc73c\ub85c \uad6c\uc131\ub429\ub2c8\ub2e4. \ubcf4\uc548 \ucee8\ud14d\uc2a4\ud2b8\ub294 \ub2e4\uc74c\uacfc \uac19\uc740 \uc694\uc18c\ub97c \ud3ec\ud568\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4:<\/p>\n\n\n\n<ol>\n<li><strong>\uad8c\ud55c \ubc0f \uad8c\ud55c \ubd80\uc5ec<\/strong>: \ucee8\ud14c\uc774\ub108\uac00 \uc5b4\ub5a4 \uc791\uc5c5\uc744 \uc218\ud589\ud560 \uc218 \uc788\ub294\uc9c0 \uc81c\uc5b4\ud558\ub294 \ub370 \uc0ac\uc6a9\ub429\ub2c8\ub2e4. \uc774\ub7ec\ud55c \uad8c\ud55c\uc740 \ub9ac\ub205\uc2a4\uc5d0\uc11c\ub294 Linux Security Modules(LSM)\uc744 \ud1b5\ud574 \uc124\uc815\ub420 \uc218 \uc788\uc73c\uba70, \uc608\ub97c \ub4e4\uc5b4 SELinux \ub610\ub294 AppArmor\uc744 \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. Kubernetes\uc5d0\uc11c\ub294 Security Context\ub97c \uc0ac\uc6a9\ud558\uc5ec \ucee8\ud14c\uc774\ub108\uc758 \uad8c\ud55c\uc744 \uc124\uc815\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774\ub97c \ud1b5\ud574 \ucee8\ud14c\uc774\ub108\uac00 \ud2b9\uc815 \uc0ac\uc6a9\uc790 ID\ub85c \uc2e4\ud589\ub418\uac70\ub098 \ud2b9\uc815 \ub9ac\ub205\uc2a4 \uce90\ud37c\ube4c\ub9ac\ud2f0(capability)\uc744 \uac00\uc9c0\ub3c4\ub85d \uc124\uc815\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n\n\n\n<li><strong>\ub124\ud2b8\uc6cc\ud06c \ubcf4\uc548<\/strong>: \ucee8\ud14c\uc774\ub108 \uac04 \ubc0f \uc678\ubd80\uc640\uc758 \ud1b5\uc2e0\uc744 \uc81c\uc5b4\ud558\ub294 \ub370 \uc0ac\uc6a9\ub429\ub2c8\ub2e4. Kubernetes\uc5d0\uc11c\ub294 \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45(Network Policies)\uc744 \uc0ac\uc6a9\ud558\uc5ec \ud2b9\uc815 \ud30c\ub4dc \uac04\uc758 \ud2b8\ub798\ud53d\uc744 \uc81c\ud55c\ud558\uac70\ub098 \ud2b9\uc815 \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45\uc744 \uc801\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ub610\ud55c PodSecurityPolicy\ub97c \uc0ac\uc6a9\ud558\uc5ec \ud2b9\uc815 \ud30c\ub4dc\uc758 \ub124\ud2b8\uc6cc\ud06c \ud2b9\uc131\uc744 \uc81c\uc5b4\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n\n\n\n<li><strong>\ud30c\uc77c \uc2dc\uc2a4\ud15c \ubc0f \ub9ac\uc18c\uc2a4 \uc81c\ud55c<\/strong>: \ucee8\ud14c\uc774\ub108\uac00 \ud30c\uc77c \uc2dc\uc2a4\ud15c\uc5d0 \uc561\uc138\uc2a4\ud558\ub294 \uad8c\ud55c\uacfc \ub9ac\uc18c\uc2a4\ub97c \uc0ac\uc6a9\ud558\ub294 \uc81c\ud55c\uc744 \uc124\uc815\ud558\ub294 \ub370 \uc0ac\uc6a9\ub429\ub2c8\ub2e4. Kubernetes\uc5d0\uc11c\ub294 Security Context\ub97c \uc0ac\uc6a9\ud558\uc5ec \ucee8\ud14c\uc774\ub108\uc758 \ud30c\uc77c \uc2dc\uc2a4\ud15c \uad8c\ud55c\uc744 \uc124\uc815\ud558\uace0, \ub9ac\uc18c\uc2a4 \uc81c\ud55c \ubc0f \uc694\uccad\uc744 \uc124\uc815\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n\n\n\n<li><strong>\ud658\uacbd \ubcc0\uc218 \ubc0f \uc2dc\ud06c\ub9bf \uad00\ub9ac<\/strong>: \ucee8\ud14c\uc774\ub108\uc5d0\uc11c \uc0ac\uc6a9\ub418\ub294 \ud658\uacbd \ubcc0\uc218\uc640 \uc2dc\ud06c\ub9bf\uc744 \uc548\uc804\ud558\uac8c \uad00\ub9ac\ud558\ub294 \ub370 \uc0ac\uc6a9\ub429\ub2c8\ub2e4. Kubernetes\uc5d0\uc11c\ub294 Secrets \ubc0f ConfigMaps\ub97c \uc0ac\uc6a9\ud558\uc5ec \ucee8\ud14c\uc774\ub108\uc5d0\uc11c \uc0ac\uc6a9\ub418\ub294 \uc911\uc694\ud55c \uc815\ubcf4\ub97c \uc548\uc804\ud558\uac8c \uad00\ub9ac\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n\n\n\n<li><strong>\uc811\uadfc \uc81c\uc5b4<\/strong>: \ucee8\ud14c\uc774\ub108 \uac04 \ubc0f \ud638\uc2a4\ud2b8 \uc2dc\uc2a4\ud15c\uacfc\uc758 \uc0c1\ud638 \uc791\uc6a9\uc744 \uc81c\uc5b4\ud558\ub294 \ub370 \uc0ac\uc6a9\ub429\ub2c8\ub2e4. Kubernetes\uc5d0\uc11c\ub294 PodSecurityPolicy\ub97c \uc0ac\uc6a9\ud558\uc5ec \ud2b9\uc815 \ud30c\ub4dc\uc5d0\uc11c \ud5c8\uc6a9\ub418\ub294 \ud638\uc2a4\ud2b8 \uc2dc\uc2a4\ud15c\uacfc\uc758 \uc0c1\ud638 \uc791\uc6a9\uc744 \uc81c\uc5b4\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Container_Security_Context\"><\/span>Container Security Context<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>\uc885\ub958<\/td><td>\uac1c\uc694<\/td><\/tr><tr><td>privilleged<\/td><td>\ud2b9\uc218 \uad8c\ud55c\uc744 \uac00\uc9c4 \ucee8\ud14c\uc774\ub108\ub85c \uc2e4\ud589<\/td><\/tr><tr><td>capabilities<\/td><td>Capabilities \uc758 \ucd94\uac00\uc640 \uc0ad\uc81c<\/td><\/tr><tr><td>allowPrivilegeEscalation<\/td><td>\ucee8\ud14c\uc774\ub108 \uc2e4\ud589 \uc2dc \uc0c1\uc704 \ud504\ub85c\uc138\uc2a4\ubcf4\ub2e4 \ub9ce\uc740 \uad8c\ud55c\uc744 \ubd80\uc5ec\ud560\uc9c0 \uc5ec\ubd80<\/td><\/tr><tr><td>readOnlyRootFilesystem<\/td><td>root \ud30c\uc77c \uc2dc\uc2a4\ud15c\uc744 \uc77d\uae30 \uc804\uc6a9\uc73c\ub85c \ud560\uc9c0 \uc5ec\ubd80<\/td><\/tr><tr><td>runAsUser<\/td><td>\uc2e4\ud589 \uc0ac\uc6a9\uc790<\/td><\/tr><tr><td>runAsGroup<\/td><td>\uc2e4\ud589 \uadf8\ub8f9<\/td><\/tr><tr><td>runAsNonRoot<\/td><td><br>root \uc5d0\uc11c \uc2e4\ud589\uc744 \uac70\ubd80<\/td><\/tr><tr><td>seLinuxOptions<\/td><td>SELinux \uc635\uc158<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"readOnlyRootFilesystem\"><\/span>readOnlyRootFilesystem<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul>\n<li>root \ud30c\uc77c \uc2dc\uc2a4\ud15c\uc744 \uc77d\uae30 \uc804\uc6a9\uc73c\ub85c \uc0ac\uc6a9<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"#\ncat &lt;&lt;EOF | kubectl create -f -\napiVersion: v1\nkind: Pod\nmetadata:\n  name: rootfile-readonly\nspec:\n  containers:\n  - name: netshoot\n    image: nicolaka\/netshoot\n    command: [&quot;tail&quot;]\n    args: [&quot;-f&quot;, &quot;\/dev\/null&quot;]\n    securityContext:\n      readOnlyRootFilesystem: true\n  terminationGracePeriodSeconds: 0\nEOF\n\n# \ud30c\uc77c \uc0dd\uc131 \uc2dc\ub3c4\nkubectl exec -it rootfile-readonly -- touch \/tmp\/text.txt\ntouch: \/tmp\/text.txt: Read-only file system\ncommand terminated with exit code 1\n\n# \uae30\uc874 \ud30c\uc77c \uc218\uc815 \uc2dc\ub3c4 : \uc544\ub798 \/etc\/hosts\ud30c\uc77c \ub9d0\uace0 \ub2e4\ub978 \ud30c\uc77c\ub85c \uc608\uc81c \ub9cc\ub4e4\uc5b4 \ub450\uc790\n## \uae30\ubcf8\uc801\uc73c\ub85c  mount \uc635\uc158\uc774 ro \uc774\uae34 \ud55c\ub370. \ud2b9\uc815 \ud30c\uc77c\uc774\ub098 \ud3f4\ub354\uac00 rw\ub85c mount\uac00 \ub418\uc5b4\uc11c \uadf8\uacf3\uc5d0\uc11c\ub294 \ud30c\uc77c \uc0dd\uc131, \uc0ad\uc81c\ub4f1\uc774 \uac00\ub2a5\ud558\ub124\uc694.\n## \ud2b9\ud788 \/etc\/hosts \ud30c\uc77c\uc740 HostAliases\ub85c \ud56d\ubaa9 \ucd94\uac00\uac00 \uac00\ub2a5\ud55c\ub370, \ud574\ub2f9 \ud30c\ub9c1\uc740 kubelet\uc5d0 \uc758\ud574 \uad00\ub9ac\ub418\uace0, \ud30c\ub4dc \uc0dd\uc131\/\uc7ac\uc2dc\uc791 \uc911 \ub36e\uc5c8\uc5ec\uc9c8 \uc218 \uc788\ub2e4.\n## \/dev \ub77c\ub358\uac00 \/sys\/fs\/cgroup \ud3f4\ub354 \uc548\uc5d0\uc11c\ub3c4 \uac00\ub2a5\ud558\ub124\uc694.\n## \/etc\/hostname \uac19\uc740 \uacbd\uc6b0\ub294 \ud638\uc2a4\ud2b8\uc640 \ubcc4\ub3c4\uc758 \ud30c\uc77c\uc774\uc9c0\ub9cc mount\uac00 \/ (ro)\uc5d0 \uc18d\ud558\uac8c \ub418\uc5b4 \uc81c\ud55c\uc774 \uac78\ub9ac\ub124\uc694.\nkubectl exec -it rootfile-readonly -- cat \/etc\/hosts\nkubectl exec -it rootfile-readonly -- sh -c &quot;echo write &gt; \/etc\/hosts&quot;\nkubectl exec -it rootfile-readonly -- cat \/etc\/hosts\n\n# \ud2b9\uc815 \ud30c\ud2f0\uc158, \ud30c\uc77c\uc758 ro\/rw \ud655\uc778\nkubectl exec -it rootfile-readonly -- mount | grep hosts\n\/dev\/root on \/etc\/hosts type ext4 (rw,relatime,discard)\n\nkubectl exec -it rootfile-readonly -- mount | grep ro\noverlay on \/ type overlay (ro,relatime~~~~~~~~~~\n\n## \/proc, \/dev, \/sys\/fs\/cgroup, \/etc\/hosts, \/proc\/kcore, \/proc\/keys, \/proc\/timer_list\nkubectl exec -it rootfile-readonly -- mount | grep rw\nproc on \/proc type proc (rw,nosuid,nodev,noexec,relatime)\ntmpfs on \/dev type tmpfs (rw,nosuid,size=65536k,mode=755,inode64)\n...\n\n# \ud30c\ub4dc \uc0c1\uc138 \uc815\ubcf4 \ud655\uc778\nkubectl get pod rootfile-readonly -o jsonpath={.spec.containers[0].securityContext} | jq\n{\n  &quot;readOnlyRootFilesystem&quot;: true\n}\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #616E88\">#<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">cat<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">&lt;&lt;<\/span><span style=\"color: #ECEFF4\">EOF<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">|<\/span><span style=\"color: #D8DEE9FF\"> kubectl create -f -<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">apiVersion: v1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">kind: Pod<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">metadata:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">  name: rootfile-readonly<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">spec:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">  containers:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">  - name: netshoot<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">    image: nicolaka\/netshoot<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">    command: [&quot;tail&quot;]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">    args: [&quot;-f&quot;, &quot;\/dev\/null&quot;]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">    securityContext:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">      readOnlyRootFilesystem: true<\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">  terminationGracePeriodSeconds: 0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #ECEFF4\">EOF<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># \ud30c\uc77c \uc0dd\uc131 \uc2dc\ub3c4<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">exec<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-it<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rootfile-readonly<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">touch<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">\/tmp\/text.txt<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">touch:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">\/tmp\/text.txt:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">Read-only<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">file<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">system<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">command<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">terminated<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">with<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">exit<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">code<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">1<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># \uae30\uc874 \ud30c\uc77c \uc218\uc815 \uc2dc\ub3c4 : \uc544\ub798 \/etc\/hosts\ud30c\uc77c \ub9d0\uace0 \ub2e4\ub978 \ud30c\uc77c\ub85c \uc608\uc81c \ub9cc\ub4e4\uc5b4 \ub450\uc790<\/span><\/span>\n<span class=\"line\"><span style=\"color: #616E88\">## \uae30\ubcf8\uc801\uc73c\ub85c  mount \uc635\uc158\uc774 ro \uc774\uae34 \ud55c\ub370. \ud2b9\uc815 \ud30c\uc77c\uc774\ub098 \ud3f4\ub354\uac00 rw\ub85c mount\uac00 \ub418\uc5b4\uc11c \uadf8\uacf3\uc5d0\uc11c\ub294 \ud30c\uc77c \uc0dd\uc131, \uc0ad\uc81c\ub4f1\uc774 \uac00\ub2a5\ud558\ub124\uc694.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #616E88\">## \ud2b9\ud788 \/etc\/hosts \ud30c\uc77c\uc740 HostAliases\ub85c \ud56d\ubaa9 \ucd94\uac00\uac00 \uac00\ub2a5\ud55c\ub370, \ud574\ub2f9 \ud30c\ub9c1\uc740 kubelet\uc5d0 \uc758\ud574 \uad00\ub9ac\ub418\uace0, \ud30c\ub4dc \uc0dd\uc131\/\uc7ac\uc2dc\uc791 \uc911 \ub36e\uc5c8\uc5ec\uc9c8 \uc218 \uc788\ub2e4.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #616E88\">## \/dev \ub77c\ub358\uac00 \/sys\/fs\/<span class='tooltipsall tooltipsincontent classtoolTips5'>cgroup<\/span> \ud3f4\ub354 \uc548\uc5d0\uc11c\ub3c4 \uac00\ub2a5\ud558\ub124\uc694.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #616E88\">## \/etc\/hostname \uac19\uc740 \uacbd\uc6b0\ub294 \ud638\uc2a4\ud2b8\uc640 \ubcc4\ub3c4\uc758 \ud30c\uc77c\uc774\uc9c0\ub9cc mount\uac00 \/ (ro)\uc5d0 \uc18d\ud558\uac8c \ub418\uc5b4 \uc81c\ud55c\uc774 \uac78\ub9ac\ub124\uc694.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">exec<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-it<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rootfile-readonly<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">cat<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">\/etc\/hosts<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">exec<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-it<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rootfile-readonly<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">sh<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-c<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">echo write &gt; \/etc\/hosts<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">exec<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-it<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rootfile-readonly<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">cat<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">\/etc\/hosts<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># \ud2b9\uc815 \ud30c\ud2f0\uc158, \ud30c\uc77c\uc758 ro\/rw \ud655\uc778<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">exec<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-it<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rootfile-readonly<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">mount<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">|<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">grep<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">hosts<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">\/dev\/root<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">on<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">\/etc\/hosts<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">type<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">ext4<\/span><span style=\"color: #D8DEE9FF\"> (rw,relatime,discard)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">exec<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-it<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rootfile-readonly<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">mount<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">|<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">grep<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">ro<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">overlay<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">on<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">\/<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">type<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">overlay<\/span><span style=\"color: #D8DEE9FF\"> (ro,relatime~~~~~~~~~~<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\">## \/proc, \/dev, \/sys\/fs\/<span class='tooltipsall tooltipsincontent classtoolTips5'>cgroup<\/span>, \/etc\/hosts, \/proc\/kcore, \/proc\/keys, \/proc\/timer_list<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">exec<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-it<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rootfile-readonly<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">mount<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">|<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">grep<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rw<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">proc<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">on<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">\/proc<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">type<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">proc<\/span><span style=\"color: #D8DEE9FF\"> (rw,nosuid,nodev,noexec,relatime)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">tmpfs<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">on<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">\/dev<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">type<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">tmpfs<\/span><span style=\"color: #D8DEE9FF\"> (rw,nosuid,size=65536k,mode=755,inode64)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">...<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># \ud30c\ub4dc \uc0c1\uc138 \uc815\ubcf4 \ud655\uc778<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">kubectl<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">get<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">pod<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">rootfile-readonly<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">-o<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">jsonpath={.spec.containers[<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #A3BE8C\">].securityContext}<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">|<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">jq<\/span><\/span>\n<span class=\"line\"><span style=\"color: #ECEFF4\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">&quot;readOnlyRootFilesystem&quot;<\/span><span style=\"color: #88C0D0\">:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">true<\/span><\/span>\n<span class=\"line\"><span style=\"color: #ECEFF4\">}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Linux_Capabilities\"><\/span>Linux Capabilities<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul>\n<li>\uc288\ud37c \uc720\uc800\uc758 \ud798\uc744 \uc791\uc740 \uc870\uac01\uc73c\ub85c \ub098\ub214<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"# Linux Capabilities \ud655\uc778 : \ud604\uc7ac 38\uac1c\ncapsh --print\n...\nBounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read\n\n# proc \uc5d0\uc11c \ud655\uc778 : bit \ubcc4 Capabilities - \ub9c1\ud06c\ncat \/proc\/1\/status | egrep 'CapPrm|CapEff'\nCapPrm:\t0000003fffffffff\nCapEff:\t0000003fffffffff\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #616E88\"># Linux Capabilities \ud655\uc778 : \ud604\uc7ac 38\uac1c<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">capsh<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">--print<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">...<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">Bounding<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">set<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #616E88\"># proc \uc5d0\uc11c \ud655\uc778 : bit \ubcc4 Capabilities - \ub9c1\ud06c<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">cat<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">\/proc\/1\/status<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">|<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">egrep<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">CapPrm|CapEff<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">CapPrm:<\/span><span style=\"color: #D8DEE9FF\">\t<\/span><span style=\"color: #B48EAD\">0000003<\/span><span style=\"color: #A3BE8C\">fffffffff<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">CapEff:<\/span><span style=\"color: #D8DEE9FF\">\t<\/span><span style=\"color: #B48EAD\">0000003<\/span><span style=\"color: #A3BE8C\">fffffffff<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p><table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" width=\"234\" style=\"border-collapse:\n collapse;width:175pt\">  <colgroup><col width=\"162\" style=\"mso-width-source:userset;mso-width-alt:5168;width:121pt\"><\/col>  <col width=\"72\" style=\"width:54pt\"><\/col>  <\/colgroup><tbody><tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" width=\"162\" style=\"height:16.9pt;width:121pt\">Capability<\/td>   <td width=\"72\" style=\"width:54pt\">Description\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_chown<\/td>   <td>\ud30c\uc77c\uc774\ub098 \ub514\ub809\ud1a0\ub9ac\uc758 \uc18c\uc720\uc790\ub97c \ubcc0\uacbd\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_dac_override<\/td>   <td>\ud30c\uc77c\uc774\ub098 \ub514\ub809\ud1a0\ub9ac\uc758 \uc811\uadfc \uad8c\ud55c\uc744 \ubb34\uc2dc\ud558\uace0 \ud30c\uc77c\uc774\ub098 \ub514\ub809\ud1a0\ub9ac\uc5d0 \ub300\ud55c \uc811\uadfc\uc744 \uc218\ud589\ud560 \uc218 \uc788\ub294 \uad8c\ud55c (DAC\uc758 \uc57d\uc790\ub294 Discretionary access control\uc774\ub2e4)<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_dac_read_search<\/td>   <td>\ud30c\uc77c\uc774\ub098 \ub514\ub809\ud1a0\ub9ac\ub97c \uc77d\uac70\ub098 \uac80\uc0c9\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_fowner<\/td>   <td>\ud30c\uc77c\uc774\ub098 \ub514\ub809\ud1a0\ub9ac\uc758 \uc18c\uc720\uc790\ub97c \ubcc0\uacbd\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_fsetid<\/td>   <td>\ud30c\uc77c\uc774\ub098 \ub514\ub809\ud1a0\ub9ac\uc758 Set-User-ID (SUID) \ub610\ub294 Set-Group-ID (SGID) \ube44\ud2b8\ub97c \uc124\uc815\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_kill<\/td>   <td>\ub2e4\ub978 \ud504\ub85c\uc138\uc2a4\ub97c \uc885\ub8cc\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_setgid<\/td>   <td>\ud504\ub85c\uc138\uc2a4\uac00 \uadf8\ub8f9 ID\ub97c \ubcc0\uacbd\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_setuid<\/td>   <td>\ud504\ub85c\uc138\uc2a4\uac00 \uc0ac\uc6a9\uc790 ID\ub97c \ubcc0\uacbd\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_setpcap<\/td>   <td>\ud504\ub85c\uc138\uc2a4\uac00 \uc790\uc2e0\uc758 \ud504\ub85c\uc138\uc2a4 \uad8c\ud55c\uc744 \ubcc0\uacbd\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height: 16.9pt; box-sizing: border-box; --tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; --tw-rotate: 0; --tw-skew-x: 0; --tw-skew-y: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-pan-x: ; --tw-pan-y: ; --tw-pinch-zoom: ; --tw-scroll-snap-strictness: proximity; --tw-gradient-from-position: ; --tw-gradient-via-position: ; --tw-gradient-to-position: ; --tw-ordinal: ; --tw-slashed-zero: ; --tw-numeric-figure: ; --tw-numeric-spacing: ; --tw-numeric-fraction: ; --tw-ring-inset: ; --tw-ring-offset-width: 0px; --tw-ring-offset-color: #fff; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-shadow: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-shadow-colored: 0 0 transparent; --tw-blur: ; --tw-brightness: ; --tw-contrast: ; --tw-grayscale: ; --tw-hue-rotate: ; --tw-invert: ; --tw-saturate: ; --tw-sepia: ; --tw-drop-shadow: ; --tw-backdrop-blur: ; --tw-backdrop-brightness: ; --tw-backdrop-contrast: ; --tw-backdrop-grayscale: ; --tw-backdrop-hue-rotate: ; --tw-backdrop-invert: ; --tw-backdrop-opacity: ; --tw-backdrop-saturate: ; --tw-backdrop-sepia: ; --tw-contain-size: ; --tw-contain-layout: ; --tw-contain-paint: ; --tw-contain-style: ; padding: 0.25rem 0.75rem;\">cap_linux_immutable<\/td>   <td>\ud30c\uc77c\uc758 immutability(\ubd88\ubcc0\uc131) \uc18d\uc131\uc744 \ubcc0\uacbd\ud560 \uc218 \uc788\ub294 \uad8c\ud55c\uc744 \uc81c\uacf5<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height: 16.9pt; box-sizing: border-box; --tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; --tw-rotate: 0; --tw-skew-x: 0; --tw-skew-y: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-pan-x: ; --tw-pan-y: ; --tw-pinch-zoom: ; --tw-scroll-snap-strictness: proximity; --tw-gradient-from-position: ; --tw-gradient-via-position: ; --tw-gradient-to-position: ; --tw-ordinal: ; --tw-slashed-zero: ; --tw-numeric-figure: ; --tw-numeric-spacing: ; --tw-numeric-fraction: ; --tw-ring-inset: ; --tw-ring-offset-width: 0px; --tw-ring-offset-color: #fff; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-shadow: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-shadow-colored: 0 0 transparent; --tw-blur: ; --tw-brightness: ; --tw-contrast: ; --tw-grayscale: ; --tw-hue-rotate: ; --tw-invert: ; --tw-saturate: ; --tw-sepia: ; --tw-drop-shadow: ; --tw-backdrop-blur: ; --tw-backdrop-brightness: ; --tw-backdrop-contrast: ; --tw-backdrop-grayscale: ; --tw-backdrop-hue-rotate: ; --tw-backdrop-invert: ; --tw-backdrop-opacity: ; --tw-backdrop-saturate: ; --tw-backdrop-sepia: ; --tw-contain-size: ; --tw-contain-layout: ; --tw-contain-paint: ; --tw-contain-style: ; padding: 0.25rem 0.75rem; border-bottom-right-radius: 0.375rem;\">cap_net_bind_service<\/td>   <td>\ud504\ub85c\uadf8\ub7a8\uc774 \ud2b9\uc815 \ud3ec\ud2b8\uc5d0 \ubc14\uc778\ub529(bind)\ud558\uc5ec \uc18c\ucf13\uc744 \uac1c\ubc29\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_net_broadcast<\/td>   <td>\ud504\ub85c\uc138\uc2a4\uac00 \ub124\ud2b8\uc6cc\ud06c \ube0c\ub85c\ub4dc\uce90\uc2a4\ud2b8 \uba54\uc2dc\uc9c0\ub97c \ubcf4\ub0bc \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_net_admin<\/td>   <td>\ub124\ud2b8\uc6cc\ud06c \uc778\ud130\ud398\uc774\uc2a4\ub098 \uc18c\ucf13 \uc124\uc815\uc744 \ubcc0\uacbd\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_net_raw<\/td>   <td>\ub124\ud2b8\uc6cc\ud06c \ud328\ud0b7\uc744 \uc1a1\uc218\uc2e0\ud558\uac70\ub098 \uc870\uc791\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_ipc_lock<\/td>   <td>\uba54\ubaa8\ub9ac \uc601\uc5ed\uc744 \uc7a0\uae08(lock)\ud558\uace0 \uc5b8\ub77d(unlock)\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_ipc_owner<\/td>   <td>IPC \ub9ac\uc18c\uc2a4(Inter-Process   Communication Resources)\ub97c \uc18c\uc720\ud558\uace0, \uad8c\ud55c\uc744 \ubcc0\uacbd\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_sys_module<\/td>   <td>\ucee4\ub110 \ubaa8\ub4c8\uc744 \ub85c\ub4dc\ud558\uac70\ub098 \uc5b8\ub85c\ub4dc\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_sys_rawio<\/td>   <td>\uc785\ucd9c\ub825(I\/O) \ud3ec\ud2b8\uc640 \uac19\uc740 \ud558\ub4dc\uc6e8\uc5b4 \ub9ac\uc18c\uc2a4\ub97c \uc9c1\uc811 \uc811\uadfc\ud560 \uc218   \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_sys_chroot<\/td>   <td>\ud504\ub85c\uc138\uc2a4\uac00 chroot() \uc2dc\uc2a4\ud15c \ucf5c\uc744 \ud638\ucd9c\ud558\uc5ec \ud504\ub85c\uc138\uc2a4\uc758 \ub8e8\ud2b8 \ub514\ub809\ud1a0\ub9ac\ub97c \ubcc0\uacbd\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_sys_ptrace<\/td>   <td>\ub2e4\ub978 \ud504\ub85c\uc138\uc2a4\ub97c \ucd94\uc801(trace)\ud558\uac70\ub098 \ub514\ubc84\uae45\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_sys_pacct<\/td>   <td>\ud504\ub85c\uc138\uc2a4 \ud68c\uacc4(process accounting)\ub97c \uc704\ud55c \ud30c\uc77c\uc5d0 \uc811\uadfc\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_sys_admin<\/td>   <td>\uc2dc\uc2a4\ud15c \uad00\ub9ac\uc790 \uad8c\ud55c\uc744 \uc81c\uacf5\ud558\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_sys_boot<\/td>   <td>\uc2dc\uc2a4\ud15c \ubd80\ud305\uacfc \uad00\ub828\ub41c \uc791\uc5c5\uc744 \uc218\ud589\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_sys_nice<\/td>   <td>\ud504\ub85c\uc138\uc2a4\uc758 \uc6b0\uc120\uc21c\uc704\ub97c \ubcc0\uacbd\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_sys_resource<\/td>   <td>\uc790\uc6d0 \uc81c\ud55c(resource limit)\uacfc \uad00\ub828\ub41c \uc791\uc5c5\uc744 \uc218\ud589\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_sys_time<\/td>   <td>\uc2dc\uc2a4\ud15c \uc2dc\uac04\uc744 \ubcc0\uacbd\ud558\uac70\ub098, \uc2dc\uac04 \uad00\ub828 \uc2dc\uc2a4\ud15c \ucf5c\uc744 \uc0ac\uc6a9\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_sys_tty_config<\/td>   <td>\ud130\ubbf8\ub110 \uc124\uc815\uc744 \ubcc0\uacbd\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_mknod<\/td>   <td>mknod() \uc2dc\uc2a4\ud15c \ucf5c\uc744 \uc0ac\uc6a9\ud558\uc5ec \ud30c\uc77c \uc2dc\uc2a4\ud15c\uc5d0 \ud2b9\uc218 \ud30c\uc77c\uc744 \uc0dd\uc131\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_lease<\/td>   <td>\ud30c\uc77c\uc758 \uc7a0\uae08\uacfc \uad00\ub828\ub41c \uc791\uc5c5\uc744 \uc218\ud589\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_audit_write<\/td>   <td>\uc2dc\uc2a4\ud15c \uac10\uc0ac(audit) \ub85c\uadf8\uc5d0 \ub300\ud55c \uc4f0\uae30 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_audit_control<\/td>   <td>\uc2dc\uc2a4\ud15c \uac10\uc0ac(audit) \uc124\uc815\uacfc \uad00\ub828\ub41c \uc791\uc5c5\uc744 \uc218\ud589\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_setfcap<\/td>   <td>file system capability\uc744 \uc124\uc815\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_mac_override<\/td>   <td>SELinux \ub610\ub294 AppArmor\uacfc \uac19\uc740 MAC(Mandatory Access Control) \uc2dc\uc2a4\ud15c\uc744 \uc6b0\ud68c\ud558\uace0 \uc790\uc2e0\uc758 \ud504\ub85c\uc138\uc2a4\uac00 \uc811\uadfc \uac00\ub2a5\ud55c \ud30c\uc77c, \ub514\ubc14\uc774\uc2a4, \ub124\ud2b8\uc6cc\ud06c \ub4f1\uc744 \uc81c\ud55c   \uc5c6\uc774 \uc811\uadfc\ud560 \uc218 \uc788\ub294 \uad8c\ud55c\u00a0<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_mac_admin<\/td>   <td>SELinux \ub610\ub294 AppArmor\uacfc \uac19\uc740 MAC(Mandatory Access Control) \uc2dc\uc2a4\ud15c\uc744 \uad00\ub9ac\ud558\uace0 \uc218\uc815\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_syslog<\/td>   <td>\uc2dc\uc2a4\ud15c \ub85c\uadf8\ub97c \uc77d\uac70\ub098, \uc4f8 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_wake_alarm<\/td>   <td>\uc2dc\uc2a4\ud15c\uc758 RTC(Real-Time Clock)\ub97c \uc0ac\uc6a9\ud558\uc5ec   \uc7a5\uce58\ub97c \uae68\uc6b0\uac70\ub098 \uc2ac\ub9bd \ubaa8\ub4dc\ub97c \ud574\uc81c\ud560 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_block_suspend<\/td>   <td>\uc2dc\uc2a4\ud15c\uc758 \uc804\uc6d0 \uad00\ub9ac \uae30\ub2a5 \uc911 \ud558\ub098\uc778 Suspend(\uc808\uc804 \ubaa8\ub4dc)\ub97c \ubc29\uc9c0\ud558\ub294 \uad8c\ud55c<\/td>  <\/tr>  <tr height=\"23\" style=\"height:16.9pt\">   <td height=\"23\" style=\"height:16.9pt\">cap_audit_read<\/td>   <td>\uc2dc\uc2a4\ud15c \uac10\uc0ac(audit) \ub85c\uadf8\ub97c \uc77d\uc744 \uc218 \uc788\ub294 \uad8c\ud55c<\/td>  <\/tr><\/tbody><\/table><\/p>\n\n\n\n<p><strong>Pod\uc758 Linux Capablities \uae30\ubcf8 \ud655\uc778<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"240\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-453-1024x240.png\" alt=\"\" class=\"wp-image-1454\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-453-1024x240.png 1024w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-453-300x70.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-453-768x180.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-453-1536x360.png 1536w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-453.png 1539w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Pod \uc2dc\uac04 \ubcc0\uacbd \uc2dc\ub3c4<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"984\" height=\"125\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-454.png\" alt=\"\" class=\"wp-image-1455\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-454.png 984w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-454-300x38.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-454-768x98.png 768w\" sizes=\"(max-width: 984px) 100vw, 984px\" \/><\/figure>\n\n\n\n<p><strong>Pod\uc5d0 \uad8c\ud55c \ucd94\uac00 \ud6c4 \ubcc0\uacbd \uc2dc\ub3c4<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"579\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-456-1024x579.png\" alt=\"\" class=\"wp-image-1457\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-456-1024x579.png 1024w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-456-300x170.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-456-768x434.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-456-1536x868.png 1536w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-456.png 1633w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Pod_Security_Context\"><\/span>Pod Security Context<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul>\n<li>\ud30c\ub4dc \ub808\ubca8\uc5d0\uc11c \ubcf4\uc548 \ucee8\ud14d\uc2a4\ud2b8\ub97c \uc801\uc6a9 : \ud30c\ub4dc\uc5d0 \ud3ec\ud568\ub41c \ubaa8\ub4e0 \ucee8\ud14c\uc774\ub108\uac00 \uc601\ud5a5\uc744 \ubc1b\uc74c<\/li>\n\n\n\n<li>\ud30c\ub4dc\uc640 \ucee8\ud14c\uc774\ub108 \uc815\ucc45 \uc911\ubcf5 \uc2dc, \ucee8\ud14c\uc774\ub108 \uc815\ucc45\uc774 \uc6b0\uc120 \uc801\uc6a9\ub428<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><th>\uc885\ub958<\/th><th>\uac1c\uc694<\/th><\/tr><tr><td>runAsUser<\/td><td>\uc2e4\ud589 \uc0ac\uc6a9\uc790<\/td><\/tr><tr><td>runAsGroup<\/td><td>\uc2e4\ud589 \uadf8\ub8f9<\/td><\/tr><tr><td>runAsNonRoot<\/td><td>root \uc5d0\uc11c \uc2e4\ud589\uc744 \uac70\ubd80<\/td><\/tr><tr><td>supplementalGroups<\/td><td>\ud504\ub77c\uc774\uba38\ub9ac GUI\uc5d0 \ucd94\uac00\ub85c \ubd80\uc5ec\ud560 GID \ubaa9\ub85d\uc744 \uc9c0\uc815<\/td><\/tr><tr><td>fsGroup<\/td><td>\ud30c\uc77c \uc2dc\uc2a4\ud15c \uadf8\ub8f9 \uc9c0\uc815<\/td><\/tr><tr><td>systls<\/td><td>\ub36e\uc5b4 \uc4f8 \ucee4\ub110 \ud30c\ub77c\ubbf8\ud130 \uc9c0\uc815<\/td><\/tr><tr><td>seLinuxOptions<\/td><td>SELinux \uc635\uc158 \uc9c0\uc815<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"runuser_%EC%8B%A4%ED%96%89_%EC%82%AC%EC%9A%A9%EC%9E%90_%EB%B3%80%EA%B2%BD\"><\/span>runuser (\uc2e4\ud589 \uc0ac\uc6a9\uc790 \ubcc0\uacbd)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"928\" height=\"1024\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-458-928x1024.png\" alt=\"\" class=\"wp-image-1459\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-458-928x1024.png 928w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-458-272x300.png 272w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-458-768x848.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-458.png 985w\" sizes=\"(max-width: 928px) 100vw, 928px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"runAsNonRoot_root_%EC%82%AC%EC%9A%A9%EC%9E%90%EB%A1%9C_%EC%8B%A4%ED%96%89_%EC%A0%9C%ED%95%9C\"><\/span>runAsNonRoot (root \uc0ac\uc6a9\uc790\ub85c \uc2e4\ud589 \uc81c\ud55c)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"994\" height=\"364\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-459.png\" alt=\"\" class=\"wp-image-1460\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-459.png 994w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-459-300x110.png 300w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-459-768x281.png 768w\" sizes=\"(max-width: 994px) 100vw, 994px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"fsGroup%ED%8C%8C%EC%9D%BC%EC%8B%9C%EC%8A%A4%ED%85%9C_%EA%B7%B8%EB%A3%B9_%EC%A7%80%EC%A0%95\"><\/span>fsGroup(\ud30c\uc77c\uc2dc\uc2a4\ud15c \uadf8\ub8f9 \uc9c0\uc815)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"730\" height=\"1024\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-461-730x1024.png\" alt=\"\" class=\"wp-image-1462\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-461-730x1024.png 730w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-461-214x300.png 214w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-461-768x1077.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-461.png 974w\" sizes=\"(max-width: 730px) 100vw, 730px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"sysctls_%EC%BB%A4%EB%84%90_%ED%8C%8C%EB%9D%BC%EB%AF%B8%ED%84%B0_%EC%84%A4%EC%A0%95\"><\/span>sysctls (\ucee4\ub110 \ud30c\ub77c\ubbf8\ud130 \uc124\uc815)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"856\" height=\"1024\" src=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-464-856x1024.png\" alt=\"\" class=\"wp-image-1465\" srcset=\"https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-464-856x1024.png 856w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-464-251x300.png 251w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-464-768x919.png 768w, https:\/\/www.gyuroot.com\/wordpress\/wp-content\/uploads\/image-464.png 993w\" sizes=\"(max-width: 856px) 100vw, 856px\" \/><\/figure>\n<script type=\"text\/javascript\"> toolTips('.classtoolTips5','control groups : \ud504\ub85c\uc138\uc2a4\ub4e4\uc758\u00a0\uc790\uc6d0\uc758 \uc0ac\uc6a9(CPU, \uba54\ubaa8\ub9ac, \ub514\uc2a4\ud06c \uc785\ucd9c\ub825, \ub124\ud2b8\uc6cc\ud06c \ub4f1)\uc744 \uc81c\ud55c\ud558\uace0 \uaca9\ub9ac\uc2dc\ud0a4\ub294\u00a0\ub9ac\ub205\uc2a4 \ucee4\ub110\u00a0\uae30\ub2a5'); <\/script><script type=\"text\/javascript\"> toolTips('.classtoolTips11','<span class=\"notion-enable-hover\" data-token-index=\"0\">Uniform Resource Locator<br\/><\/span><br\/><br\/><a href=\"\/wordpress\/?p=65\">Detail<\/a>'); <\/script>","protected":false},"excerpt":{"rendered":"<p>Kubernetes Auth Admission Control\uc740 \ud074\ub7ec\uc2a4\ud130\uc5d0\uc11c \uc2e4\ud589\ud560 \uc218 \uc788\ub294 \ud56d\ubaa9\uc744 \uc815\uc758\ud558\uace0 \uc0ac\uc6a9\uc790 \uc9c0\uc815\ud558\ub294 \ub370 \ub3c4\uc6c0\uc774 \ub418\ub294 \uac15\ub825\ud55c Kubernetes \uae30\ubc18 \uae30\ub2a5\uc785\ub2c8\ub2e4. \uac10\uc2dc\uc790\ub85c\uc11c \ud074\ub7ec\uc2a4\ud130\uc5d0 \ub4e4\uc5b4\uac00\ub294 \ub0b4\uc6a9\uc744 \uc81c\uc5b4\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ub108\ubb34 \ub9ce\uc740 \ub9ac\uc18c\uc2a4\ub97c \uc694\uccad\ud558\ub294 \ubc30\ud3ec\ub97c \uad00\ub9ac\ud558\uace0, \ud3ec\ub4dc \ubcf4\uc548 \uc815\ucc45\uc744 \uc2dc\ud589\ud558\uba70, \ucde8\uc57d\ud55c \uc774\ubbf8\uc9c0\uac00 \ubc30\ud3ec\ub418\ub294 \uac83\uc744 \ucc28\ub2e8\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4. Authentication (\uc778\uc99d) \ucfe0\ubc84\ub124\ud2f0\uc2a4\ub294 \uacc4\uc815 \uccb4\uacc4\ub97c \uad00\ub9ac\ud568\uc5d0 \uc788\uc5b4\uc11c \uc0ac\ub78c\uc774 \uc0ac\uc6a9\ud558\ub294 \uc0ac\uc6a9\uc790 \uc5b4\uce74\uc6b4\ud2b8\uc640, \uc2dc\uc2a4\ud15c\uc774 &#8230; <a title=\"06-[AEWS]-EKS Security\" class=\"read-more\" href=\"https:\/\/www.gyuroot.com\/wordpress\/?p=1398\" aria-label=\"More on 06-[AEWS]-EKS Security\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_eb_attr":""},"categories":[46],"tags":[],"_links":{"self":[{"href":"https:\/\/www.gyuroot.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1398"}],"collection":[{"href":"https:\/\/www.gyuroot.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gyuroot.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gyuroot.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gyuroot.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1398"}],"version-history":[{"count":2,"href":"https:\/\/www.gyuroot.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1398\/revisions"}],"predecessor-version":[{"id":1467,"href":"https:\/\/www.gyuroot.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1398\/revisions\/1467"}],"wp:attachment":[{"href":"https:\/\/www.gyuroot.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gyuroot.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gyuroot.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}