更新k8s憑證

#確認憑證
kubeadm alpha certs check-expiration

#匯出設定
kubeadm config view > /root/kubeadm.yaml
更新憑證
kubeadm alpha certs renew all --config=/root/kubeadm.yaml
kubeadm alpha certs check-expiration

#刪除
rm -rf /root/kubeadm.yaml

#重啟
docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart

ssh 免密碼登入

產生公私鑰

mkdir -p ~/.ssh
cd ~/.ssh
ssh-keygen -f id_rsa -t rsa -N ''

將公鑰寫入server的authorized_keys

cat ~/.ssh/id_rsa.pub | ssh username@serverip "cat >> ~/.ssh/authorized_keys"

[k8s] 建立使用者及namespace

建立namespaces

kubectl create ns slanla

建立user

kubectl -n tw-sgis create sa slanla

RBAC 授權

建立規則

cat <<EOF > slanla-user-role.yml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: tw-sgis
  name: slanla-user-pod
rules:
- apiGroups: ["*"]
  resources: ["pods", "pods/log"]
  verbs: ["get", "watch", "list", "update", "create", "delete"]
EOF
kubectl apply -f slanla-user-role.yml

授權對象

kubectl create rolebinding slanla-view-pod \
  --role=slanla-user-pod \
  --serviceaccount=tw-sgis:slanla \
  --namespace=tw-sgis

產生設定檔

取得 secret 資訊

SECRET=$(kubectl -n tw-sgis get sa slanla -o go-template='{{range .secrets}}{{.name}}{{end}}')

設定API Server

API_SERVER="https://xxx.xxx.xxx.xxx:6443"

取得 ca

CA_CERT=$(kubectl -n tw-sgis get secret ${SECRET} -o yaml | awk '/ca.crt:/{print $2}')

建立

cat <<EOF > slanla.conf
apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: $CA_CERT
    server: $API_SERVER
  name: cluster
EOF

取得token

TOKEN=$(kubectl -n tw-sgis get secret ${SECRET} -o go-template='{{.data.token}}')

設定 token

kubectl config set-credentials slanla-user \
  --token=`echo ${TOKEN} | base64 -d` \
  --kubeconfig=slanla.conf

建立context: default

kubectl config set-context default \
  --cluster=cluster \
  --user=slanla-user \
  --kubeconfig=slanla.conf

指定context: default

kubectl config use-context default \
  --kubeconfig=slanla.conf

SQL, 帳號密碼查詢的建議做法

測試資料:

INSERT INTO `test` (`user`, `pswd`) VALUES ('test', 'ABcd+1234');

一般常見做法

SELECT `user` FROM `test` WHERE `user`='test' and `pswd`=sha1('ABcd+1234')

較安全做法,但是會增加DB CPU的功耗!

SELECT `user` FROM `test` WHERE `user`='test' and sha1(CONCAT(`pswd`,9999))=sha1(CONCAT(sha1('ABcd+1234'),9999))

centsos 基本安裝參考指令

#更新
yum update -y && yum autoremove -y

#安裝常用工具,如vim/wget/openssh-server/nslookup/ping/ifconfig
yum install -y git vim wget openssh* nfs-utils nfs-utils-lib open-vm-tools net-tools bind-utils iputils yum-utils

#設定ssh
mkdir -p ~/.ssh
cat <<EOF > ~/.ssh/config
Host *
    StrictHostKeyChecking no
EOF

#關閉swap
SWAPLINE=$(cat /etc/fstab | grep swap | awk '{print $1}' | sed 's/\//\\\//g')
sed -i "s/$SWAPLINE/#$SWAPLINE/g" /etc/fstab 
swapoff -a
free -m

#關閉SELINUX
setenforce 0
sed -i s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config
systemctl disable firewalld.service
systemctl disable libvirtd.service

#Forward Policy
iptables -P FORWARD ACCEPT

#關閉防火牆
iptables -P FORWARD ACCEPT
systemctl stop firewalld
systemctl disable firewalld

#NTP校時
yum install ntp ntpdate ntp-doc -y
cat > /etc/ntp.conf  <<EOL
restrict 127.0.0.1
restrict ::1
server time.stdtime.gov.tw  minpoll 1 maxpoll 3
server tock.stdtime.gov.tw  minpoll 2 maxpoll 3
server watch.stdtime.gov.tw minpoll 3 maxpoll 4
server clock.stdtime.gov.tw minpoll 4 maxpoll 5
server tick.stdtime.gov.tw  minpoll 5 maxpoll 6
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
EOL

systemctl stop ntpd
ntpdate time.stdtime.gov.tw
systemctl enable ntpd
systemctl start ntpd
ntpq -p

[code] post

function post($url, $post){
  $context = array();
  if (is_array($post)){
    ksort($post);
    $context['http'] = array(
      'method' => 'POST',
      'content' => http_build_query($post, '', '&')
    );
  }
  else{
    $context['http'] = array(
      'method' => 'POST',
      'content' => $post
    );
  }
  return @file_get_contents($url, false, stream_context_create($context));
}