2) EKMS 서비스 Deploy
PVC(PersistentVolumeClaim) 생성
테넌트 별 키파일 저장을 위해 신규 구축 시 최초 한 번만 실행
- cloud-ekms-pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: cloud-ekms-data
namespace: dev
spec:
storageClassName: dev
volumeMode: Filesystem
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
- 고객사 환경에 맞게 변경이 필요한 항목 : namespace, storageClassName
EKMS 서비스 생성
EKMS 서비스 Deploy 파일(구버전)
- cloud-ekms-service.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cloud-ekms-config
namespace: dev
data:
## 필수 설정
# SHIELD ID에 등록된 Master-tenant ID
CUSTOM_AUTH_SERVICE_EXTRA: "uFhoVIZI-wni6zwDS-E6xGXPqT-m2ms8GWh"
# SHIELD ID의 master-tenant에 등록된 EKMS 앱 ID
CUSTOM_APP_TENANT_ID: "c290ed67-bfbf-49eb-a9af-0c8b29ee2ab5"
# SHIELD ID의 master-tenant에 등록된 EKMS 앱 secret
CUSTOM_APP_TENANT_SECRET: "KyQmKiMtIyokISQoKSglJyktKSYoISQhJSYjLCsqISM"
# EKMS 서비스가 설치된 클러스터의 네임스페이스 이름
CUSTOM_NAMESPACE: "dev"
# SHIELD ID URL 정보
CUSTOM_AUTH_SERVICE_URL: "http://cloud-oauth-service.dev.svc.cluster.local"
# 통합 로그 서비스 URL 정보
CUSTOM_LOG_SERVICE_URL: "http://cloud-log-service.dev.svc.cluster.local"
# 키볼트(KMS) 서비스 URL 정보
CUSTOM_KMS_SERVICE_URL: "http://cloud-kms-service.dev.svc.cluster.local"
# SKMS 서비스 URL 정보
CUSTOM_SKMS_SERVICE_URL: "http://cloud-skms-service.dev.svc.cluster.local"
# =================================================================
## 현재 사용하지 않는 기능(변경 하지 않음)
# ZIPKIN 설정
CUSTOM_ZIPKIN_USE: "false"
CUSTOM_ZIPKIN_BASE_URL: "http://127.0.0.1:9411"
CUSTOM_APPLICATION_NAME: "EKMS"
CUSTOM_SLEUTH_SAMPLER_PROBABILITY: "0.1"
# =================================================================
## 선택 설정
# LOG_LEVEL: debug (기본 설정: info)
# 프로메테우스 앤드포인트 노출 포트 (기본 설정: 9090)
# METRICS_PORT: 9090
# Metric 사용 여부 (기본 설정: true)
# METRICS_ENABLED: true
# Metric 경로에 대한 인증 활성화 (기본 설정: false)
# SECURITY_ACTUATOR_ENABLED: false
# replicas 개수가 2 이상인 경우 notify 기능을 위한 RABBITMQ 설정 필요 (기본 설정: false)
# CUSTOM_RABBITMQ_USE: "false"
# CUSTOM_RABBITMQ_HOST: "security365-rabbitmq.dev.svc.cluster.local"
# CUSTOM_RABBITMQ_PORT: "5672"
# CUSTOM_RABBITMQ_USERNAME: "security365"
# CUSTOM_RABBITMQ_PASSWORD: "security365"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: cloud-cdf-config
namespace: dev
data:
##[SDF Container 전용] SKMS URL 필수 설정
SKMS_API_URL: "http://cloud-skms-service.dev.svc.cluster.local"
##[SDF Container 전용] 서비스 포트
CONTAINER_LINKER_SERVER_PORT: "8181"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cloud-ekms-service
namespace: dev
labels:
app: cloud-ekms-service
spec:
replicas: 1
selector:
matchLabels:
app: cloud-ekms-service
template:
metadata:
labels:
app: cloud-ekms-service
spec:
containers:
- name: cloud-ekms-service
image: security365acr.azurecr.io/shieldrm/cloud-ekms:latest
imagePullPolicy: Always
resources:
requests:
memory: 2Gi
limits:
memory: 2Gi
ports:
- containerPort: 8080
envFrom:
- configMapRef:
name: cloud-ekms-config
volumeMounts:
- name: cloud-ekms-data
mountPath: /opt/shieldrm/data
- name: nfs-temp-pvc
mountPath: /opt/shieldrm/shw
##==========================[SDF Container 전용 START]==========================##
- name: cloud-containerlinker-service
image: security365acr.azurecr.io/shieldrm/cloud-containerlinker:latest
imagePullPolicy: Always
resources:
requests:
memory: 256Mi
limits:
memory: 512Mi
ports:
- containerPort: 8181
envFrom:
- configMapRef:
name: cloud-cdf-config
volumeMounts:
- name: cloud-ekms-data
mountPath: /opt/shieldrm/data
- name: nfs-temp-pvc
mountPath: /opt/shieldrm/shw
##==========================[SDF Container 전용 END]==========================##
volumes:
- name: cloud-ekms-data
persistentVolumeClaim:
claimName: cloud-ekms-data
- name: nfs-temp-pvc
persistentVolumeClaim:
claimName: nfs-temp-pvc
imagePullSecrets:
- name: security365acr
---
apiVersion: v1
kind: Service
metadata:
labels:
app: cloud-ekms-service
name: cloud-ekms-service
namespace: dev
spec:
type: ClusterIP
ports:
- name : ekms
port : 80
protocol: TCP
targetPort: 8080
- name : metric
port : 9090
protocol: TCP
targetPort: 9090
selector:
app: cloud-ekms-service
- 고객사 환경에 맞게 변경이 필요한 항목 : namespace, ConfigMap, image 경로
ekms 서비스 Deploy 파일 (신버전)
주의 사항
- shieldrm/cloud-ekms:20251110.1 이미지 부터 사용
- 컨테이너 보안 취약점 개선 내용
- allowPrivilegeEscalation 설정
- seccomp 프로파일 적용
- runAsNonRoot 설정
- readOnlyRootFilesystem 설정
- cloud-ekms-service.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cloud-ekms-config
namespace: dev
data:
## 필수 설정
# SHIELD ID에 등록된 Master-tenant ID
CUSTOM_AUTH_SERVICE_EXTRA: "uFhoVIZI-wni6zwDS-E6xGXPqT-m2ms8GWh"
# SHIELD ID의 master-tenant에 등록된 EKMS 앱 ID
CUSTOM_APP_TENANT_ID: "c290ed67-bfbf-49eb-a9af-0c8b29ee2ab5"
# SHIELD ID의 master-tenant에 등록된 EKMS 앱 secret
CUSTOM_APP_TENANT_SECRET: "KyQmKiMtIyokISQoKSglJyktKSYoISQhJSYjLCsqISM"
# EKMS 서비스가 설치된 클러스터의 네임스페이스 이름
CUSTOM_NAMESPACE: "dev"
# SHIELD ID URL 정보
CUSTOM_AUTH_SERVICE_URL: "http://cloud-oauth-service.dev.svc.cluster.local"
# 통합 로그 서비스 URL 정보
CUSTOM_LOG_SERVICE_URL: "http://cloud-log-service.dev.svc.cluster.local"
# 키볼트(KMS) 서비스 URL 정보
CUSTOM_KMS_SERVICE_URL: "http://cloud-kms-service.dev.svc.cluster.local"
# SKMS 서비스 URL 정보
CUSTOM_SKMS_SERVICE_URL: "http://cloud-skms-service.dev.svc.cluster.local"
# =================================================================
## 현재 사용하지 않는 기능(변경 하지 않음)
# ZIPKIN 설정
CUSTOM_ZIPKIN_USE: "false"
CUSTOM_ZIPKIN_BASE_URL: "http://127.0.0.1:9411"
CUSTOM_APPLICATION_NAME: "EKMS"
CUSTOM_SLEUTH_SAMPLER_PROBABILITY: "0.1"
# =================================================================
## 선택 설정
# LOG_LEVEL: debug (기본 설정: info)
# 프로메테우스 앤드포인트 노출 포트 (기본 설정: 9090)
# METRICS_PORT: 9090
# Metric 사용 여부 (기본 설정: true)
# METRICS_ENABLED: true
# Metric 경로에 대한 인증 활성화 (기본 설정: false)
# SECURITY_ACTUATOR_ENABLED: false
# replicas 개수가 2 이상인 경우 notify 기능을 위한 RABBITMQ 설정 필요 (기본 설정: false)
# CUSTOM_RABBITMQ_USE: "false"
# CUSTOM_RABBITMQ_HOST: "security365-rabbitmq.dev.svc.cluster.local"
# CUSTOM_RABBITMQ_PORT: "5672"
# CUSTOM_RABBITMQ_USERNAME: "security365"
# CUSTOM_RABBITMQ_PASSWORD: "security365"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: cloud-cdf-config
namespace: dev
data:
##[SDF Container 전용] SKMS URL 필수 설정
SKMS_API_URL: "http://cloud-skms-service.dev.svc.cluster.local"
##[SDF Container 전용] 서비스 포트
CONTAINER_LINKER_SERVER_PORT: "8181"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cloud-ekms-service
namespace: dev
labels:
app: cloud-ekms-service
spec:
replicas: 1
selector:
matchLabels:
app: cloud-ekms-service
template:
metadata:
labels:
app: cloud-ekms-service
spec:
securityContext:
runAsNonRoot: true
runAsUser: 10001
runAsGroup: 10001
fsGroup: 10001
fsGroupChangePolicy: Always
seccompProfile: { type: RuntimeDefault }
initContainers:
- name: init-opt-root
image: security365acr.azurecr.io/shieldrm/cloud-ekms:latest
imagePullPolicy: IfNotPresent
command: ["/bin/sh","-c"]
args:
- |
set -eux
mkdir -p /mnt/opt
# 이미지의 /opt 전체를 RW 볼륨으로 복사
cp -r /opt/. /mnt/opt/
ls -la /mnt/opt || true
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10001
runAsGroup: 10001
capabilities:
drop: ["ALL"]
volumeMounts:
- name: opt-root
mountPath: /mnt/opt
- name: ekms-tmp
mountPath: /tmp
- name: fix-ekms-permissions
image: security365acr.azurecr.io/busybox:latest
imagePullPolicy: IfNotPresent
command: ["/bin/sh","-lc"]
args:
- |
set -euxo pipefail
umask 002
# /opt 하위 전체 권한
chown -R 10001:10001 /opt || true
# 디렉터리: 2775(setgid + g+rwx), 파일: 0664
find /opt -type d -exec chmod 2775 {} + || true
find /opt -type f -perm /111 -exec chmod 0755 {} \; || true
find /opt -type f ! -perm /111 -exec chmod 0664 {} \; || true
# 확인 출력
ls -ld /opt /opt/* 2>/dev/null || true
securityContext:
runAsNonRoot: false
runAsUser: 0
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumeMounts:
- name: opt-root
mountPath: /opt
- name: ekms-tmp
mountPath: /tmp
containers:
- name: cloud-ekms-service
image: security365acr.azurecr.io/shieldrm/cloud-ekms:latest
imagePullPolicy: IfNotPresent
resources:
requests:
memory: 2Gi
limits:
memory: 2Gi
ports:
- containerPort: 8080
envFrom:
- configMapRef:
name: cloud-ekms-config
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
volumeMounts:
- name: cloud-ekms-data
mountPath: /opt/shieldrm/data
- name: nfs-temp-pvc
mountPath: /opt/shieldrm/shw
- name: opt-root
mountPath: /opt
- name: ekms-tmp
mountPath: /tmp
##==========================[SDF Container 전용 START]========================##
- name: cloud-containerlinker-service
image: security365acr.azurecr.io/shieldrm/cloud-containerlinker:latest
imagePullPolicy: IfNotPresent
resources:
requests:
memory: 256Mi
limits:
memory: 512Mi
ports:
- containerPort: 8181
envFrom:
- configMapRef:
name: cloud-cdf-config
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
volumeMounts:
- name: cloud-ekms-data
mountPath: /opt/shieldrm/data
- name: nfs-temp-pvc
mountPath: /opt/shieldrm/shw
- name: containerlinker-tmp
mountPath: /tmp
- name: containerlinker-logs
mountPath: /opt/containerLinker/logs
- name: containerlinker-scsllog
mountPath: /opt/containerLinker/scsllog
- name: containerlinker-mip
mountPath: /opt/containerLinker/mip
##==========================[SDF Container 전용 END]==========================##
volumes:
- name: cloud-ekms-data
persistentVolumeClaim:
claimName: cloud-ekms-data
- name: nfs-temp-pvc
persistentVolumeClaim:
claimName: nfs-temp-pvc
- name: opt-root
emptyDir: {}
- name: ekms-tmp
emptyDir: {}
##==========================[SDF Container 전용 START]========================##
- name: containerlinker-tmp
emptyDir: {}
- name: containerlinker-logs
emptyDir: {}
- name: containerlinker-scsllog
emptyDir: {}
- name: containerlinker-mip
emptyDir: {}
##==========================[SDF Container 전용 END]==========================##
imagePullSecrets:
- name: security365acr
---
apiVersion: v1
kind: Service
metadata:
labels:
app: cloud-ekms-service
name: cloud-ekms-service
namespace: dev
spec:
type: ClusterIP
ports:
- name : ekms
port : 80
protocol: TCP
targetPort: 8080
- name : metric
port : 9090
protocol: TCP
targetPort: 9090
selector:
app: cloud-ekms-service
- 고객사 환경에 맞게 변경이 필요한 항목 : namespace, ConfigMap, image 경로
실행 명령
- POD 생성 명령 : kubectl apply -f .\cloud-ekms-service.yaml
- POD 삭제 명령 : kubectl delete -f .\cloud-ekms-service.yaml