k8s认证方式一般为token和kubeconfig。以下用使用kubeconfig方式演示
[root@k8s-master-01 k8s]# mkdir -p testUser
[root@k8s-master-01 k8s]# cd testUser/
[root@k8s-master-01 testUser]# ls
#生成私钥
[root@k8s-master-01 testUser]# openssl genrsa -out testUser.key 2048
Generating RSA private key, 2048 bit long modulus
...................+++
.....+++
e is 65537 (0x10001)
[root@k8s-master-01 testUser]# ls
testUser.key
#生成证书请求文件,其中CN=testUser指明用户名
[root@k8s-master-01 testUser]# openssl req -new -key testUser.key -out testUser.csr -subj "/CN=testUser/O=Apple"
[root@k8s-master-01 testUser]# ls
testUser.csr testUser.key
#对证书请求文件编码
[root@k8s-master-01 testUser]# cat testUser.csr | base64 | tr -d "\n"
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FEQ0NBVkFDQVFBd0l6RVJNQThHQTFVRUF3d0lkR1Z6ZEZWelpYSXhEakFNQmdOVkJBb01CVUZ3Y0d4bApNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTVhODVSUGx2MWhodnFJdU4xak5jCi9leE04SkNGbjNqYnhNMHAySUpDSzdHbHpvZkZlWGZsRnNyeFBUR0FDWTN5bkwyVG41bXFvcDR6NThQaGFQcGkKZ1I0bldkWWQ5OGNlNXY1UWhlVmFNK2lBS1M1UjlNRHJOM1hPcDQ1V3EyYityRXRnUWR2cXZlYnZzU0VVTlhpMgpONnp3ZW1xYlFPVkMwa2NkbzV3YWxCd0tqTk9KdGljZVZIN3dIUmpVNGYyRCtLM2RPc3pwNXo4NjhMeGhEMnRQCkYrc1MwR25kWWhBQWdLUkYvTGdPRERQT3BGaHBPbWNmdVd5dWhpQ3VRUkVmdVdTQXU0SW94WjNLaU5EZmZFa0sKR1hPd3BWd0NiY0pxc3Fib1BZRUlHTzA5RFUyaWJJVVZBMUVMbW5GVXJDSHdaQmw2WGthMDNWVURFbG85dkdsWgp3UUlEQVFBQm9BQXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQmNGT1BDbFdzaWpXQ3FPUm8zM085UTJWS2Y2CldDdTA1UlI0NytWUnlKL1p5Ukxha2cwZVBXOWFzdG5UdDRlcC9kbHdwaEcwNVM3SlF3aCtoYTlNMk8rdVZMUXEKU3hxWUVHMlJUWVluMG1jWmpEK0phZHpVVmoxdFV5U0NJTUV3ZVVJRnFHVXdCOUNzaVMwOG9WUlFvdytLbmtMaQpLTGRZNGQyK1dmODduQTQxSHpBbmNmSUNvdTdtUGgrOVZEeSticzducWJvUHk4a0QzbllqeTJ5aDhHa0FVR0ZTCmlETkVwOUxCZDAxcWVteWFWMFQxZVA0cjRyL1pUSTlyakZDR1FUdmJ3dWtBMWFNL3F4anRCZjIzemdVZXBRYlYKUUxoM0o3ajdpMFk5OG1SL25GZG1KL2dwdDhIK1VTWUk1UW5IZkRKY0IwSkNhZ2xza2NseTdHK2FvWnc9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
#创建csr.yaml并应用
[root@k8s-master-01 testUser]# vim csr.yaml
[root@k8s-master-01 testUser]# kubectl apply -f csr.yaml
certificatesigningrequest.certificates.k8s.io/testUser created
[root@k8s-master-01 testUser]# cat csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: testUser
spec:
groups:
- system:authenticated
signerName: kubernetes.io/kube-apiserver-client
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FEQ0NBVkFDQVFBd0l6RVJNQThHQTFVRUF3d0lkR1Z6ZEZWelpYSXhEakFNQmdOVkJBb01CVUZ3Y0d4bApNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTVhODVSUGx2MWhodnFJdU4xak5jCi9leE04SkNGbjNqYnhNMHAySUpDSzdHbHpvZkZlWGZsRnNyeFBUR0FDWTN5bkwyVG41bXFvcDR6NThQaGFQcGkKZ1I0bldkWWQ5OGNlNXY1UWhlVmFNK2lBS1M1UjlNRHJOM1hPcDQ1V3EyYityRXRnUWR2cXZlYnZzU0VVTlhpMgpONnp3ZW1xYlFPVkMwa2NkbzV3YWxCd0tqTk9KdGljZVZIN3dIUmpVNGYyRCtLM2RPc3pwNXo4NjhMeGhEMnRQCkYrc1MwR25kWWhBQWdLUkYvTGdPRERQT3BGaHBPbWNmdVd5dWhpQ3VRUkVmdVdTQXU0SW94WjNLaU5EZmZFa0sKR1hPd3BWd0NiY0pxc3Fib1BZRUlHTzA5RFUyaWJJVVZBMUVMbW5GVXJDSHdaQmw2WGthMDNWVURFbG85dkdsWgp3UUlEQVFBQm9BQXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQmNGT1BDbFdzaWpXQ3FPUm8zM085UTJWS2Y2CldDdTA1UlI0NytWUnlKL1p5Ukxha2cwZVBXOWFzdG5UdDRlcC9kbHdwaEcwNVM3SlF3aCtoYTlNMk8rdVZMUXEKU3hxWUVHMlJUWVluMG1jWmpEK0phZHpVVmoxdFV5U0NJTUV3ZVVJRnFHVXdCOUNzaVMwOG9WUlFvdytLbmtMaQpLTGRZNGQyK1dmODduQTQxSHpBbmNmSUNvdTdtUGgrOVZEeSticzducWJvUHk4a0QzbllqeTJ5aDhHa0FVR0ZTCmlETkVwOUxCZDAxcWVteWFWMFQxZVA0cjRyL1pUSTlyakZDR1FUdmJ3dWtBMWFNL3F4anRCZjIzemdVZXBRYlYKUUxoM0o3ajdpMFk5OG1SL25GZG1KL2dwdDhIK1VTWUk1UW5IZkRKY0IwSkNhZ2xza2NseTdHK2FvWnc9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
usages:
- client auth
#处于pending状态的csr
[root@k8s-master-01 testUser]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
testUser 57s kubernetes.io/kube-apiserver-client kubernetes-admin Pending
#审核通过,之后csr处于approved和issued状态
[root@k8s-master-01 testUser]# kubectl certificate approve testUser
certificatesigningrequest.certificates.k8s.io/testUser approved
[root@k8s-master-01 testUser]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
testUser 3m17s kubernetes.io/kube-apiserver-client kubernetes-admin Approved,Issued
[root@k8s-master-01 testUser]# kubectl get csr testUser -o yaml
status:
certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDVENDQWZHZ0F3SUJBZ0lSQU45SFhVVHltanhFdjlISVVldHJsMXN3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBeU1UTXhOVEk0TkRaYUZ3MHlNekF5TVRNeApOVEk0TkRaYU1DTXhEakFNQmdOVkJBb1RCVUZ3Y0d4bE1SRXdEd1lEVlFRREV3aDBaWE4wVlhObGNqQ0NBU0l3CkRRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFPV3ZPVVQ1YjlZWWI2aUxqZFl6WFAzc1RQQ1EKaFo5NDI4VE5LZGlDUWl1eHBjNkh4WGwzNVJiSzhUMHhnQW1OOHB5OWs1K1pxcUtlTStmRDRXajZZb0VlSjFuVwpIZmZISHViK1VJWGxXalBvZ0NrdVVmVEE2emQxenFlT1ZxdG0vcXhMWUVIYjZyM203N0VoRkRWNHRqZXM4SHBxCm0wRGxRdEpISGFPY0dwUWNDb3pUaWJZbkhsUis4QjBZMU9IOWcvaXQzVHJNNmVjL092QzhZUTlyVHhmckV0QnAKM1dJUUFJQ2tSZnk0RGd3enpxUllhVHBuSDdsc3JvWWdya0VSSDdsa2dMdUNLTVdkeW9qUTMzeEpDaGx6c0tWYwpBbTNDYXJLbTZEMkJDQmp0UFExTm9teUZGUU5SQzVweFZLd2g4R1FaZWw1R3ROMVZBeEphUGJ4cFdjRUNBd0VBCkFhTkdNRVF3RXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUUKR0RBV2dCVHAzeVZQRVZTSnhrZXcvM1paRHBSMjN2U3o5ekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBWWdhaApkMUlLNDRneTJ2TGEyc3lxVGRWNFhvaC9NWFRmZ0xoTDVZa3FZZFZRcVhJOTUvSGJLVUZTSXN1QVlWdWtwdkZHCjdmeGNYZE5idTl6RWRQZFdjbHJOamZaZVJpa1V0a3BXREQxL0hDZVNQUCtaZGZRNWdzUE1zWDVQVVpSWTc0ei8KN1JsOU9oL3B2MW4ydzJuOU9tUDN3dFpWNEFTUnlGb0EvKzRyL3hjNmVzaXRzYUxoOGhxdndNb1FqRFl5aEZPagovb1l4VGI1ZnNEZTVYY2crY2VUdmJzWW12ME5yYThZZlhrN05XS1dud1A1OGI3c1MxL0tGZkdiQytkUSt5cnBsCkluSVJ6d3lBQnNONnpWa3RhMGJXeHUzS2E4WSs1ZzFrUG1pTXZqOWFZZDV1aHJIMEZZVjkxQUNweFNFYnZTcjQKemt4bjNOVnY4ZHVqK0pTNW9BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
#jsonpath方式获取到证书信息
[root@k8s-master-01 testUser]# kubectl get csr testUser -o jsonpath='{.status.certificate}'
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDVENDQWZHZ0F3SUJBZ0lSQU45SFhVVHltanhFdjlISVVldHJsMXN3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBeU1UTXhOVEk0TkRaYUZ3MHlNekF5TVRNeApOVEk0TkRaYU1DTXhEakFNQmdOVkJBb1RCVUZ3Y0d4bE1SRXdEd1lEVlFRREV3aDBaWE4wVlhObGNqQ0NBU0l3CkRRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFPV3ZPVVQ1YjlZWWI2aUxqZFl6WFAzc1RQQ1EKaFo5NDI4VE5LZGlDUWl1eHBjNkh4WGwzNVJiSzhUMHhnQW1OOHB5OWs1K1pxcUtlTStmRDRXajZZb0VlSjFuVwpIZmZISHViK1VJWGxXalBvZ0NrdVVmVEE2emQxenFlT1ZxdG0vcXhMWUVIYjZyM203N0VoRkRWNHRqZXM4SHBxCm0wRGxRdEpISGFPY0dwUWNDb3pUaWJZbkhsUis4QjBZMU9IOWcvaXQzVHJNNmVjL092QzhZUTlyVHhmckV0QnAKM1dJUUFJQ2tSZnk0RGd3enpxUllhVHBuSDdsc3JvWWdya0VSSDdsa2dMdUNLTVdkeW9qUTMzeEpDaGx6c0tWYwpBbTNDYXJLbTZEMkJDQmp0UFExTm9teUZGUU5SQzVweFZLd2g4R1FaZWw1R3ROMVZBeEphUGJ4cFdjRUNBd0VBCkFhTkdNRVF3RXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUUKR0RBV2dCVHAzeVZQRVZTSnhrZXcvM1paRHBSMjN2U3o5ekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBWWdhaApkMUlLNDRneTJ2TGEyc3lxVGRWNFhvaC9NWFRmZ0xoTDVZa3FZZFZRcVhJOTUvSGJLVUZTSXN1QVlWdWtwdkZHCjdmeGNYZE5idTl6RWRQZFdjbHJOamZaZVJpa1V0a3BXREQxL0hDZVNQUCtaZGZRNWdzUE1zWDVQVVpSWTc0ei8KN1JsOU9oL3B2MW4ydzJuOU9tUDN3dFpWNEFTUnlGb0EvKzRyL3hjNmVzaXRzYUxoOGhxdndNb1FqRFl5aEZPagovb1l4VGI1ZnNEZTVYY2crY2VUdmJzWW12ME5yYThZZlhrN05XS1dud1A1OGI3c1MxL0tGZkdiQytkUSt5cnBsCkluSVJ6d3lBQnNONnpWa3RhMGJXeHUzS2E4WSs1ZzFrUG1pTXZqOWFZZDV1aHJIMEZZVjkxQUNweFNFYnZTcjQKemt4bjNOVnY4ZHVqK0pTNW9BPT0KLS0tLS
#获取证书信息并导入到testUser.crt
[root@k8s-master-01 testUser]# kubectl get csr testUser -o jsonpath='{.status.certificate}' | base64 -d >testUser.crt
#拷贝ca证书到当前目录
[root@k8s-master-01 testUser]# cp /etc/kubernetes/pki/ca.crt .
[root@k8s-master-01 testUser]# ls
ca.crt csr.yaml testUser.crt testUser.csr testUser.key #.key为用户私钥,.crt为用户证书
#设置集群字段
[root@k8s-master-01 testUser]# kubectl config --kubeconfig=kubeconfigTest set-cluster cluster1 --server=https://192.168.71.133:6443 --certificate-authority=ca.crt --embed-certs=true
#设置用户字段
[root@k8s-master-01 testUser]# kubectl config --kubeconfig=kubeconfigTest set-credentials testUser --client-certificate=testUser.crt --client-key=testUser.key --embed-certs=true
User "testUser" set.
#设置上下文字段,将用户与上下文、集群关联
[root@k8s-master-01 testUser]# kubectl config --kubeconfig=kubeconfigTest set-context context1 --cluster=cluster1 --namespace=default --user=testUser
Context "context1" created.
#使用该配置文件查看pod信息,认证成功但是该用户没有get的权限,需要为其分配授权。
[root@k8s-master-01 testUser]# kubectl --kubeconfig=kubeconfigTest get pods
Error from server (Forbidden): pods is forbidden: User "testUser" cannot list resource "pods" in API group "" in the namespace "default"
#查看当前授权策略,可以看到为Node和RBAC模式
[root@k8s-master-01 testUser]# cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep "authorization"
- --authorization-mode=Node,RBAC
#修改为AlwaysAllow模式,查看权限。
[root@k8s-master-01 testUser]# cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep "authorization"
#- --authorization-mode=Node,RBAC
- --authorization-mode=AlwaysAllow
[root@k8s-master-01 testUser]# kubectl --kubeconfig=kubeconfigTest get pods
No resources found in default namespace.
RBAC授权方式不会直接将权限授权给用户,而是将权限绑定到role,再将role分配给用户,即为rolebinding。role只属于一个ns,而clusterrole则可以作用于所有ns,通过clusterrolebinding分配给用户。
#创建一个角色
[root@k8s-master-01 testUser]# kubectl create role roleTest --verb=get,list,watch --resource=pod --dry-run -o yaml >roleTest.yaml
W0214 00:18:24.637610 115345 helpers.go:598] --dry-run is deprecated and can be replaced with --dry-run=client.
[root@k8s-master-01 testUser]# more roleTest.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: roleTest
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
[root@k8s-master-01 testUser]# kubectl apply -f roleTest.yaml
role.rbac.authorization.k8s.io/roleTest created
#创建rolebinding
[root@k8s-master-01 testUser]# kubectl create rolebinding testRoleBinding --role=roleTest --user=testUser
rolebinding.rbac.authorization.k8s.io/testRoleBinding created
[root@k8s-master-01 testUser]# kubectl get rolebindings
NAME ROLE AGE
testRoleBinding Role/roleTest 19s
[root@k8s-master-01 testUser]# kubectl get rolebinding testRoleBinding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2022-02-13T16:24:22Z"
name: testRoleBinding
namespace: app01
resourceVersion: "256904"
uid: 0d4a9b67-dcea-4468-9d3e-6dfc27ceb19f
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: roleTest #引用哪个名称的role,这里为上述创建的roleTest
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: testUser
#将kubeconfigTest中namespace修改为app01(当前ns),如下
#contexts:
#- context:
# cluster: cluster1
# namespace: app01
# user: testUser
#使用kubeconfigTest的配置文件查看pods
[root@k8s-master-01 testUser]# kubectl --kubeconfig=kubeconfigTest get pods
NAME READY STATUS RESTARTS AGE
mydeploy-67b66cbd74-tckxf 1/1 Running 1 (11h ago) 24h
#创建名为cRole的clusterrole
[root@k8s-master-01 testUser]# kubectl create clusterrole cRole --verb=get,create,delete --resource=pod,svc --dry-run -o yaml > cRoleTest.yaml
W0214 13:41:20.976880 19293 helpers.go:598] --dry-run is deprecated and can be replaced with --dry-run=client.
[root@k8s-master-01 testUser]# more cRoleTest.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: cRole
rules:
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- get
- create
- delete
#将cRole权限与testUser绑定
[root@k8s-master-01 testUser]# kubectl create clusterrolebinding cBind --clusterrole=cRole --user=testUser
K8S中权限管理有User和sa,创建一个sa后会自动为其创建一个secret。sa实验如下
#创建一个sa,名为satest。会自动产生一个satest-token开头的secret
[root@k8s-master-01 testUser]# kubectl create sa satest
serviceaccount/satest created
[root@k8s-master-01 testUser]# kubectl get secrets
NAME TYPE DATA AGE
default-token-kxfs4 kubernetes.io/service-account-token 3 3d2h
satest-token-9dcpl kubernetes.io/service-account-token 3 3m7s
#为该sa分配clusterrolebinding
[root@k8s-master-01 testUser]# kubectl create clusterrolebinding saCbind --clusterrole=cluster-admin --serviceaccount=app01:satest
clusterrolebinding.rbac.authorization.k8s.io/saCbind created
#通过jsonpath方式获取dashboard的登录token
[root@k8s-master-01 testUser]# kubectl get secrets -n kubernetes-dashboard
NAME TYPE DATA AGE
admin-user-token-b8hnm kubernetes.io/service-account-token 3 4d22h
default-token-rq2p4 kubernetes.io/service-account-token 3 4d22h
kubernetes-dashboard-certs Opaque 0 4d22h
kubernetes-dashboard-csrf Opaque 1 4d22h
kubernetes-dashboard-key-holder Opaque 2 4d22h
kubernetes-dashboard-token-whqcq kubernetes.io/service-account-token 3 4d22h
[root@k8s-master-01 testUser]# kubectl get secrets -n kubernetes-dashboard admin-user-token-b8hnm -o jsonpath='{.data.token}' | base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6Ilk3QVo5bmFucWxLUGVOa0tmRm0wb2wwdFN5MlFWemJFdTlvMjhjdFhrUjAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLWI4aG5tIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmMmM1ZDZkMi0xN2ZjLTRmY2QtYjY1Zi01OWI5MjkxZDcwZTQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.ckIDLFsWcubrr9wQnpIiRt0lEZvpbw4nZgs3gGBWtTUs3u4IESGtp5bL4Ukq-03fntgH4C7PwDgA80dqFpbkxNUSHjzpG_Q_kYKgVSLptUxbw3gqKsS6oQ6MYsNyszppShQm2bzBhDBBlBnkGptIUDqNhX57llz2N6hIz3sQ6LyfQyNNfyidXu_GFBvjdkWM3U0QC3P_zAjtObxEGonULIZ_Z0xpnx6qQDsrHVYSLr13PYuOPwbSuwaLh_SR7F1zZg1aN5tmj-gpKmLtY6hE4vD2tf7e4CTZwYVV_YOpcMC34rJ7F9bfDEJBE3boraA_cetkusfl0c8fpTBmYcPSkw