Join now Sign in

From the course: Certified Kubernetes Security Specialist (CKS) Cert Prep

Verify binary checksum - Kubernetes Tutorial

From the course: Certified Kubernetes Security Specialist (CKS) Cert Prep

Start my 1-month free trial Buy for my team

Verify binary checksum

“

- So now that we know how to download the various files that we're looking for, as well as the ability to be able to get the checksum, let's just do a quick check to make sure that one of the files we download that we can validate. So here, we're going to go ahead and just use a wget command, and I'm going to use the wget, and then we're going to go to dl.k8s.io. We're going to pull down version 1.29.4 and we're going to get the Kube API server arm 64 version. Let's go ahead and download that. Now we should have it. So yep, there's the Kube API server, but in addition, I also need to pull down the sha256 file. So let's go ahead and pull that down. So now we should have both of them. And then at this point, it's really just as simple as being able to enter a command that'll do that check. So I have one already here that I'm going to go ahead and just copy over, and we'll talk about it really quick. Go ahead and clear this. This one is going to use the Echo command to be able to take that sha256 file, right, which is basically just a hash, and it's going to compare that to the Kube API server. And then it's going to pipe that into the sha256 sum with a check command. So what this should do is it should basically run that sha256 sum to be able to get the binary hash of the file itself and then compare it to the sha256 file that we downloaded, which should be the correct one. So let's go ahead and do a quick check. So yes, it absolutely is the same. So if we want to go ahead and just validate it, let's cat kube-apiserver.sha256. So there's that. And then let's do a quick sha256sum kube-apiserver. And then if you look at it, you can see just compared to the two, it absolutely matches. Okay, so the command works, the ability to be able to do that quick check also works as well. Now we do have the ability to be able to also check the signature of these, 'cause they're all signed with certificates. And in order to be able to do that, there's a documentation section that goes through all the details on it as well as giving you some code that you can use to do these checks. So going back to the documentation here, you can see that if I want to be able to verify the binary signatures, I have a quick command here that I can execute. So this one is going to, not only download the appropriate version, but it'll also pull down the sig and the cert file, right? Which is going to be important for us to be able to use the cosign tool to be able to validate it. So here, I'm going to go ahead and just copy this directly. And then this is going to pull down, looks like it's the AMD version of the Kube control command. So let's just go ahead and copy that. And then we'll go back over here to the command line and we'll just enter it. So from here, I'm just going to copy this directly in. It's going to go to the directory that I'm currently in. Download those three files and we should be good to go. All right, so let's take a look. And yes, we do have those files, we have Kube control, we have the cert, and we have the sig. Now, in order to be able to do the check, we need to go back to the documentation and then from there, you'll see that there is a way to be able to validate it. So I'm going to go ahead and use this cosign command and then we're going to validate it against the Google certificate, which is how it's currently signed. So this will allow us to be able to then validate that that is the actual one, that'll be able to validate that that is the actual one that we we want. And it has been authorized and assigned by the Kubernetes project. So from here, let's go ahead and clear screen again. Go ahead and copy that in. So here, we're going to use the cosign verify, and then that binary is, from that original script, it set a variable and that's what's actually being checked here. So that binary, and then of course, as you can see, this is very, very scriptable, which I'll show you in a second. It's kind of cool. Okay, so from there, we're able to check the signature, validate against the file and saying, yes, everything is good. So it's verified okay. Now that's great if you want to do that one by one, but I feel like there's an easier way, and that's where scripting comes into play. So if we look at a quick bash script, this is download K8s, and it's a bash script that's basically going to pull down a version of Kubernetes. So we pass it an argument, we're going to give it a version, it's going to store that version, it's going to store that version, and then it's going to pull that information down. And notice, I do have arm64 in here. If you wanted to use this and be able to change it, you just need to change it to amd64 or whatever version you're dealing with. And then from there, we're going to pull down a certain number of binaries. Now we could get all of them that we would want, but here, I have a few that are selected. And then from there, we're going to make a directory and then we're going to go ahead and download all of those different files. So we're going to get the binary, we're going to get the sha256, the signature and the cert. And then from there, we're going to go ahead and do our checks. So here we're going to download the files, we're going to download the public certificates, we're going to verify the downloads, make sure that everything matches the sha256. And then we're going to do the cosign process to be able to ensure that the signatures are working, the way they should. So this little script will allow us to be able to download everything, check it, and then do it all pretty much in one go. All right, so from here, let's go ahead and take a quick look. So there's my download_k8s. I set it executable, and now when I go to enter it, I can put in 1.29.4, and then that's going to go ahead and download all of those files that we were looking for. So you're seeing, it's pulling down all the different components as well as their various signatures and checksums. And then from there, now it's going through and doing its checks. So as you can see, everything just went through and did its actual check, and everything checked fine. So if it did come back with an error, it would tell me, but here, we're seeing that yes, everything is validated and verified, and that's just a quick way to be able to do this process across a large number of files very quickly. And just shows you the power of making sure that you understand how to do some bash scripting. It's pretty powerful, especially if you don't like to type a lot.

Contents