kubernetes 认证及serviceaccount(服务账号)
kubernetes中apiservice是唯一访问的入口
认证->授权->准入控制
认证方式:
token
ssl
kubect和node都要双向认证
K8s1.6以上增加了RBAC认证,授权检查
kuberadm是强制使用了kuberadm的授权认证
这都是最高的权限进行管理
用户账号具有以下信息:
客户端->API service 用户账号 user:usernmae,uid
group:
extra:
API:
Request path
/apis/apps/v1
查看版本:kubectl api-versions
它支持多版本并存
###############
本机port=8080
kubectl proxy --port=8080
[root@master ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:10248 *:*
LISTEN 0 128 127.0.0.1:10249 *:*
LISTEN 0 128 127.0.0.1:10251 *:*
LISTEN 0 128 127.0.0.1:2379 *:*
LISTEN 0 128 127.0.0.1:10252 *:*
LISTEN 0 128 127.0.0.1:2380 *:*
LISTEN 0 128 127.0.0.1:8080 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 127.0.0.1:39576 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::10250 :::*
LISTEN 0 128 :::6443 :::*
LISTEN 0 128 :::10256 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
8080端口已启用
curl http://localhost:8080/api/v1/namespaces
json格式的数据
curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments
json格式的数据的增删改查
Request path
get,post,oput,delete
HTTP request verb:
get,post,put,delete
API request verb:
get,list,create,update,patch,watch,proxy,redirect,delete.deletecollection(删除一个集合)
Resource
Subresource
Namespace
PAI group
和APIserver打交道的有两类:
1,来自集群外部的地址
2,来自集群内部的Pod
创建一个清单的快捷方法:
kubectl create serviceaccount mysa -o yaml --dry-run
备注:
命令:-o yaml可以生成yaml文件
命令:--dry-run 测试运行
也可以:
kubectl create serviceaccount mysa -o yaml --dry-run >test.yaml
利用运行的Pod生成Yaml
kubectl get pods myapp-0 -o yaml --export
查看本机的sa
[root@master ~]# kubectl get sa
NAME SECRETS AGE
default 1 8d
创建一个sa
[root@master ~]# kubectl create serviceaccount admin
serviceaccount/admin created
[root@master ~]# kubectl get sa
NAME SECRETS AGE
admin 1 2s
default 1 8d
[root@master ~]# kubectl get sa
NAME SECRETS AGE
admin 1 2s
default 1 8d
[root@master ~]# kubectl describe sa admin
Name: admin
Namespace: default
Labels:
Annotations:
Image pull secrets: #没有指定secrets
Mountable secrets: admin-token-mnczz
Tokens: admin-token-mnczz
Events:
他也会自动生成一个secret信息
用于sa连接到apiservice认证信息
但是认证不等于权限,必须有授权
[root@master ~]# kubectl get secret
NAME TYPE DATA AGE
admin-token-mnczz kubernetes.io/service-account-token 3 2m
default-token-8zzcr kubernetes.io/service-account-token 3 8d
开始自定义一个sa账号的配置文件
[root@master manifests]# cat pod-sa-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-sa-demo
namespace: default
labels:
app: myapp
tier: frontend
annotations:
node1/create-by: "cluster admin" #备注
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
serviceAccountName: admin #自定义的sa账号
NAME READY STATUS RESTARTS AGE
pod-sa-demo 1/1
查看信息:
kubectl describe pods pod-sa-demo
node1/create-by=cluster admin #已经生效了
RBAC实现:
kubectlconfig
查看配置文件
kubectl config view
[root@master manifests]# kubectl config view
apiVersion: v1
clusters: #可以访问哪个集群列表
- cluster:
certificate-authority-data: REDACTED
server: https://192.168.68.10:6443
name: kubernetes
contexts:
- context: #哪个集群被哪个账户访问
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users: #用户
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@master manifests]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED #私密数据
server: https://192.168.68.10:6443 #访问server的路径
name: kubernetes #名字
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin #用户账户
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED #证书
client-key-data: REDACTED #私钥
###########################
创建一个字节的私钥
###########################
master节点:
cd /etc/kubernetes/pki
执行: (umask 077; openssl genrsa -out jesse.key 2048)
Generating RSA private key, 2048 bit long modulus
............................................................+++
.....+++
e is 65537 (0x10001)
[root@master pki]# ll
total 60
-rw-r--r-- 1 root root 1216 Sep 4 23:13 apiserver.crt
-rw-r--r-- 1 root root 1094 Sep 4 23:13 apiserver-etcd-client.crt
-rw------- 1 root root 1679 Sep 4 23:13 apiserver-etcd-client.key
-rw------- 1 root root 1679 Sep 4 23:13 apiserver.key
-rw-r--r-- 1 root root 1099 Sep 4 23:13 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 Sep 4 23:13 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 Sep 4 23:13 ca.crt
-rw------- 1 root root 1679 Sep 4 23:13 ca.key
drwxr-xr-x 2 root root 162 Sep 4 23:13 etcd
-rw-r--r-- 1 root root 1025 Sep 4 23:13 front-proxy-ca.crt
-rw------- 1 root root 1679 Sep 4 23:13 front-proxy-ca.key
-rw-r--r-- 1 root root 1050 Sep 4 23:13 front-proxy-client.crt
-rw------- 1 root root 1679 Sep 4 23:13 front-proxy-client.key
-rw------- 1 root root 1675 Sep 13 14:46 jesse.key #新生成的
-rw------- 1 root root 1675 Sep 4 23:13 sa.key
-rw------- 1 root root 451 Sep 4 23:13 sa.pub
基于这个私钥生成一个证书
openssl req -new -key jesse.key -out jesse.csr -subj "/CN=jesse"
证书签署完成
[root@master pki]# openssl x509 -req -in jesse.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out jesse.crt -days 365
Signature ok
subject=/CN=jesse
Getting CA Private Key
查看证书内容:
openssl x509 -in jesse.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
ea:9f:bb:ab:a7:3f:aa:b8
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Sep 13 06:57:01 2018 GMT
Not After : Sep 13 06:57:01 2019 GMT #有效期限
Subject: CN=jesse
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9f:5a:09:35:c2:17:e7:af:28:77:10:3d:90:62:
61:26:8e:f9:fa:23:81:28:06:7b:db:bb:51:d0:46:
51:c6:03:a6:09:6d:d9:b7:96:eb:02:78:0c:86:af:
90:f8:12:bf:7c:6f:5a:ed:97:f0:1c:e0:b4:a8:6d:
2d:74:28:c2:af:1f:42:9a:10:d6:1a:e0:24:0f:a4:
4d:71:09:8c:88:5d:09:77:72:93:ec:7d:00:7e:ba:
d2:36:27:40:04:e0:c6:6f:d2:c7:19:78:28:c6:fb:
61:6a:a1:23:87:4f:2f:22:a7:75:5d:3c:89:ad:2d:
b2:9e:53:a2:3d:41:87:1f:ce:1e:35:54:f3:8a:c7:
a2:5e:22:4b:b5:a5:a2:ff:90:c3:40:a5:26:11:2d:
ce:8e:b3:49:ec:39:6e:f1:35:a3:c2:83:eb:82:45:
b1:c8:fd:d3:15:28:72:3f:36:88:a4:c1:1a:a4:f0:
c6:e0:76:5c:e2:19:14:66:99:c1:a6:53:92:89:ce:
e4:34:fb:d9:f4:9e:50:8a:73:5e:33:09:61:94:3b:
79:6d:1f:33:b0:3d:38:6a:52:b8:76:ac:1a:51:6f:
18:10:e2:7f:a5:4d:ec:b0:82:b2:7d:c1:72:03:56:
6b:cc:4e:8f:2b:86:d2:ea:c9:67:d1:c4:7a:37:06:
7f:59
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
75:7b:1d:d6:fa:a2:8d:9b:8a:2a:14:48:3d:05:38:a1:98:21:
2a:9e:50:81:c5:9f:05:88:61:20:62:34:0d:bd:9f:40:cc:b1:
fa:59:d1:a5:c1:e5:d0:1d:bb:06:22:02:21:aa:db:ea:17:7d:
60:fb:b5:02:55:fb:cb:f4:0e:8d:7b:01:38:09:ca:c3:06:32:
2b:b7:35:6c:8b:e3:3b:de:88:78:ff:c1:8c:cf:5a:18:67:67:
b2:7d:6a:da:a5:dd:1f:85:d8:0a:94:76:4b:c8:31:3b:0e:de:
3f:df:bb:74:f4:a1:be:1f:a5:dd:36:0b:84:fb:17:25:9c:14:
4c:ee:15:4f:bd:ff:fc:45:36:5d:b0:48:7e:79:15:8f:63:65:
f6:e8:ba:ef:2b:9d:75:63:1b:96:39:4d:17:7f:19:b6:c8:d9:
0a:ae:b6:88:57:32:6a:b0:0f:8c:5a:41:31:f2:14:03:a6:e6:
00:46:df:5d:5f:6e:ea:ba:08:a1:85:c5:d9:2f:de:d2:d6:56:
b0:af:3b:c7:51:35:72:f5:8e:32:c4:36:f7:5e:f7:5b:ec:2e:
60:89:1f:b2:fc:55:33:0a:81:54:3e:41:8e:4b:06:cf:c3:e5:
81:18:eb:e9:23:22:ca:08:03:25:c7:91:eb:c9:07:c3:f4:6f:
d0:db:f2:af
接下来,我们把这个信息添加到连接k8s的认证信息
kubectl config set-credentials jesse --client-certificate=./jesse.crt --client-key=./jesse.key --embed-certs=true
[root@master pki]# kubectl config set-credentials jesse --client-certificate=./jesse.crt --client-key=./jesse.key --embed-certs=true
User "jesse" set.
已经添加成功
--embed-certs=true 隐藏证书
查看是否生效
[root@master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://192.168.68.10:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: jesse #已经生效
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
下面设置让jesse也能访问集群kubernetes
[root@master pki]# kubectl config set-context jesse@kubernetes --user=jesse
Context "jesse@kubernetes" created.
jesse@kubernetes 账户
--user=jesse 指定user为jesse
查看是否包含成功:
[root@master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://192.168.68.10:6443
name: kubernetes
contexts:
- context:
cluster: ""
user: jesse
name: jesse@kubernetes
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: jesse
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
切换账户:
[root@master pki]# kubectl config use-context jesse@kubernetes
Switched to context "jesse@kubernetes".
#切换成功
这时候我们获取pods和nodes,都是没有权限获取的
[root@master manifests]# kubectl get pods
error: the server doesn't have a resource type "pods"
[root@master manifests]# kubectl get nodes
error: the server doesn't have a resource type "nodes"
在当前新定义一个集群:
首先要指明ca的证书
指明service地址
指明隐藏证书
指明配置文件的路径:--kubeconfig=/tmp/test.conf
如果不指定的话就在家目录下
[root@master tmp]# kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://192.168.68.10:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
Cluster "mycluster" set.
查看是否成功:
[root@master tmp]# kubectl config view --kubeconfig=/tmp/test.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://192.168.68.10:6443
name: mycluster
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
