apiserver相当于是k8集群的一个入口,不论通过kubectl还是使用remote api 直接控制,都要经过apiserver。apiserver说白了就是一个server负责监听指定的端口.
func main() { runtime.GOMAXPROCS(runtime.NumCPU()) rand.Seed(time.Now().UTC().UnixNano()) s := app.NewAPIServer() s.AddFlags(pflag.CommandLine) util.InitFlags() util.InitLogs() defer util.FlushLogs() verflag.PrintAndExitIfRequested() if err := s.Run(pflag.CommandLine.Args()); err != nil { fmt.Fprintf(os.Stderr, "%v\n", err) os.Exit(1) } }这一部分主要是进行一些初始化的设置,启动一个apiserver实例,再将其run起来。 主要关注一下,
func NewAPIServer() *APIServer { s := APIServer{ InsecurePort: 8080, InsecureBindAddress: util.IP(net.ParseIP("")), BindAddress: util.IP(net.ParseIP("")), SecurePort: 6443, APIRate: 10.0, APIBurst: 200, APIPrefix: "/api", EventTTL: 1 * time.Hour, AuthorizationMode: "AlwaysAllow", AdmissionControl: "AlwaysAdmit", EtcdPathPrefix: master.DefaultEtcdPathPrefix, EnableLogsSupport: true, MasterServiceNamespace: api.NamespaceDefault, ClusterName: "kubernetes", CertDirectory: "/var/run/kubernetes", RuntimeConfig: make(util.ConfigurationMap), KubeletConfig: client.KubeletConfig{ Port: ports.KubeletPort, EnableHttps: true, HTTPTimeout: time.Duration(5) * time.Second, }, } return &s }
启动时候的全部参数通过 s.AddFlags(pflag.CommandLine)
config := &master.Config{ EtcdHelper: helper, EventTTL: s.EventTTL, KubeletClient: kubeletClient, ServiceClusterIPRange: &n, EnableCoreControllers: true, EnableLogsSupport: s.EnableLogsSupport, EnableUISupport: true, EnableSwaggerSupport: true, EnableProfiling: s.EnableProfiling, EnableIndex: true, APIPrefix: s.APIPrefix, CorsAllowedOriginList: s.CorsAllowedOriginList, ReadWritePort: s.SecurePort, PublicAddress: net.IP(s.AdvertiseAddress), Authenticator: authenticator, SupportsBasicAuth: len(s.BasicAuthFile) > 0, Authorizer: authorizer, AdmissionControl: admissionController, EnableV1Beta3: enableV1beta3, DisableV1: disableV1, MasterServiceNamespace: s.MasterServiceNamespace, ClusterName: s.ClusterName, ExternalHost: s.ExternalHost, MinRequestTimeout: s.MinRequestTimeout, SSHUser: s.SSHUser, SSHKeyfile: s.SSHKeyfile, InstallSSHKey: installSSH, ServiceNodePortRange: s.ServiceNodePortRange, } m := master.New(config)
if secureLocation != "" { secureServer := &http.Server{ Addr: secureLocation, Handler: apiserver.MaxInFlightLimit(sem, longRunningRE, apiserver.RecoverPanics(m.Handler)), ReadTimeout: ReadWriteTimeout, WriteTimeout: ReadWriteTimeout, MaxHeaderBytes: 1 << 20, TLSConfig: &tls.Config{ // Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability) MinVersion: tls.VersionTLS10, }, } if len(s.ClientCAFile) > 0 { clientCAs, err := util.CertPoolFromFile(s.ClientCAFile) if err != nil { glog.Fatalf("unable to load client CA file: %v", err) } // Populate PeerCertificates in requests, but don't reject connections without certificates // This allows certificates to be validated by authenticators, while still allowing other auth types secureServer.TLSConfig.ClientAuth = tls.RequestClientCert // Specify allowed CAs for client certificates secureServer.TLSConfig.ClientCAs = clientCAs } glog.Infof("Serving securely on %s", secureLocation) go func() { defer util.HandleCrash() for { if s.TLSCertFile == "" && s.TLSPrivateKeyFile == "" { s.TLSCertFile = path.Join(s.CertDirectory, "apiserver.crt") s.TLSPrivateKeyFile = path.Join(s.CertDirectory, "apiserver.key") // TODO (cjcullen): Is PublicAddress the right address to sign a cert with? alternateIPs := []net.IP{config.ServiceReadWriteIP} alternateDNS := []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"} // It would be nice to set a fqdn subject alt name, but only the kubelets know, the apiserver is clueless // alternateDNS = append(alternateDNS, "kubernetes.default.svc.CLUSTER.DNS.NAME") if err := util.GenerateSelfSignedCert(config.PublicAddress.String(), s.TLSCertFile, s.TLSPrivateKeyFile, alternateIPs, alternateDNS); err != nil { glog.Errorf("Unable to generate self signed cert: %v", err) } else { glog.Infof("Using self-signed cert (%s, %s)", s.TLSCertFile, s.TLSPrivateKeyFile) } } // err == systemd.SdNotifyNoSocket when not running on a systemd system if err := systemd.SdNotify("READY=1\n"); err != nil && err != systemd.SdNotifyNoSocket { glog.Errorf("Unable to send systemd daemon sucessful start message: %v\n", err) } if err := secureServer.ListenAndServeTLS(s.TLSCertFile, s.TLSPrivateKeyFile); err != nil { glog.Errorf("Unable to listen for secure (%v); will try again.", err) } time.Sleep(15 * time.Second) } }() } http := &http.Server{ Addr: insecureLocation, Handler: apiserver.RecoverPanics(m.InsecureHandler), ReadTimeout: ReadWriteTimeout, WriteTimeout: ReadWriteTimeout, MaxHeaderBytes: 1 << 20, } if secureLocation == "" { // err == systemd.SdNotifyNoSocket when not running on a systemd system if err := systemd.SdNotify("READY=1\n"); err != nil && err != systemd.SdNotifyNoSocket { glog.Errorf("Unable to send systemd daemon sucessful start message: %v\n", err) } } glog.Infof("Serving insecurely on %s", insecureLocation) glog.Fatal(http.ListenAndServe())
大致看一下这部分代码,首先是生成一个http.Server对象 secureServer
之后还会生成一个 http.Server
实例 http,这个就是采用insecure的方式,最后通过 http.ListenAndServe()
对比两种启动方式,可以看到,它们加载的handler都来自与之前生成的master实例m,一个是 m.Handler
,另一个是 m.InsecureHandler
。采用 m.Handler
authenticator, err := apiserver.NewAuthenticator(s.BasicAuthFile, s.ClientCAFile, s.TokenAuthFile, s.ServiceAccountKeyFile, s.ServiceAccountLookup, helper)
之后在生成master实例的时候,这个认证器 authenticator
config := &master.Config{
Authenticator: authenticator,
m := master.New(config)
s.ServiceAccountKeyFile:当不为空的时候,采用ServiceAccount的认证方式,这个其实是一个公钥密钥。注释里说要包含:PEM-encoded x509 RSA private or public key,发送过来的信息是在客户端使用对应的私钥加密过的,服务端使用指定的公钥来解密信息。
func NewAuthenticator(basicAuthFile, clientCAFile, tokenFile, serviceAccountKeyFile string, serviceAccountLookup bool, helper tools.EtcdHelper) (authenticator.Request, error) { var authenticators []authenticator.Request if len(basicAuthFile) > 0 { basicAuth, err := newAuthenticatorFromBasicAuthFile(basicAuthFile) if err != nil { return nil, err } authenticators = append(authenticators, basicAuth) } if len(clientCAFile) > 0 { certAuth, err := newAuthenticatorFromClientCAFile(clientCAFile) if err != nil { return nil, err } authenticators = append(authenticators, certAuth) } if len(tokenFile) > 0 { tokenAuth, err := newAuthenticatorFromTokenFile(tokenFile) if err != nil { return nil, err } authenticators = append(authenticators, tokenAuth) } if len(serviceAccountKeyFile) > 0 { serviceAccountAuth, err := newServiceAccountAuthenticator(serviceAccountKeyFile, serviceAccountLookup, helper) if err != nil { return nil, err } authenticators = append(authenticators, serviceAccountAuth) } fmt.Println("the length of authticator:", len(authenticators)) switch len(authenticators) { case 0: return nil, nil case 1: return authenticators[0], nil default: return union.New(authenticators...), nil } }
// unionAuthRequestHandler authenticates requests using a chain of authenticator.Requests
type unionAuthRequestHandler []authenticator.Request
// New returns a request authenticator that validates credentials using a chain of authenticator.Request objects
func New(authRequestHandlers ...authenticator.Request) authenticator.Request {
return unionAuthRequestHandler(authRequestHandlers)
// Request attempts to extract authentication information from a request and returns // information about the current user and true if successful, false if not successful, // or an error if the request could not be checked. type Request interface { AuthenticateRequest(req *http.Request) (user.Info, bool, error) }
其中的方法 AuthenticateRequest
下面我们直接跳到对于api请求的认证部分,看一下当某个请求过来的时候,apiserver是如何对其进行认证的,具体代码在/pkg/master/master.go的 func (m *Master) init(c *Config)
// Install Authenticator
if c.Authenticator != nil {
authenticatedHandler, err := handlers.NewRequestAuthenticator(m.requestContextMapper, c.Authenticator, handlers.Unauthorized(c.SupportsBasicAuth), handler)
if err != nil {
glog.Fatalf("Could not initialize authenticator: %v", err)
handler = authenticatedHandler
} }
handler = authenticatedHandler
实现细节暂不讨论,从功能上讲,这一段就是对handler进行一层包装,生成一个带有认证器的handler。 其中 handlers.Unauthorized(c.SupportsBasicAuth)
func NewRequestAuthenticator(mapper api.RequestContextMapper, auth authenticator.Request, failed http.Handler, handler http.Handler) (http.Handler, error) { return api.NewRequestContextFilter( mapper, http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { user, ok, err := auth.AuthenticateRequest(req) if err != nil || !ok { if err != nil { glog.Errorf("Unable to authenticate the request due to an error: %v", err) } failed.ServeHTTP(w, req) return } if ctx, ok := mapper.Get(req); ok { mapper.Update(req, api.WithUser(ctx, user)) } handler.ServeHTTP(w, req) }), ) }
结合上面的 NewAuthenticator
、 certAuth
、 tokenAuth
、 serviceAccountAuth
,还有通过Union.New生成的 unionAuthRequestHandler
,下面我们结合每个认证器的生成过程具体看一下每个 authenticators
的 AuthenticateRequest
func (authHandler unionAuthRequestHandler) AuthenticateRequest(req *http.Request) (user.Info, bool, error) { var errlist []error for _, currAuthRequestHandler := range authHandler { info, ok, err := currAuthRequestHandler.AuthenticateRequest(req) if err != nil { errlist = append(errlist, err) continue } if ok { return info, true, nil } } return nil, false, errors.NewAggregate(errlist)
方法, 只要其中有一种认证方式成功,最后认证就会返回true 。
basicAuth:bacisAuth的认证比较直接,就是把信息从.csv文件中读取出来,返回一个PasswordAuthenticator结构,其中包含一个map: users map[string]*userPasswordInfo
func newAuthenticatorFromBasicAuthFile(basicAuthFile string) (authenticator.Request, error) { basicAuthenticator, err := passwordfile.NewCSV(basicAuthFile) if err != nil { return nil, err } return basicauth.New(basicAuthenticator), nil
type Authenticator struct { auth authenticator.Password }
func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) { auth := strings.TrimSpace(req.Header.Get("Authorization")) if auth == "" { return nil, false, nil } parts := strings.Split(auth, " ") if len(parts) < 2 || strings.ToLower(parts[0]) != "basic" { return nil, false, nil } payload, err := base64.StdEncoding.DecodeString(parts[1]) if err != nil { return nil, false, err } pair := strings.SplitN(string(payload), ":", 2) if len(pair) != 2 { return nil, false, errors.New("malformed basic auth header") } username := pair[0] password := pair[1] return a.auth.AuthenticatePassword(username, password)
主要就是从request的Header中提取出Authorization字段的信息,用basic作为分隔,之后根据 :
func (a *PasswordAuthenticator) AuthenticatePassword(username, password string) (user.Info, bool, error) { user, ok := a.users[username] if !ok { return nil, false, nil } if user.password != password { return nil, false, nil } return user.info, true, nil }
certAuth:这里首先要声明一点, https仅仅是认证方式的一种,secureport可以是https的也可以不是https的,不要把这两个弄混。 关于golang中https的使用的基本内容以及相关证书的生成可以参考 之前这个文章 。
ca文件指定了之后,说明要使用https的方式,这里是cafile是给客户端证书签名的根证书,用于https握手的时候对客户端进行身份认证。正常情况下还要指定服务端的.key和.crt文件,这里默认的就是使用双向认证的方式,在服务端启动的时候,要把对应的证书也加进去,分别用到的是 tls-cert-file
以及 tls-private-key-file
这个两个参数,如果这两个参数没指定的话,证书就会使用自签名的方式被自动生成,放在 CertDirectory: "/var/run/kubernetes"
tokenAuth:是用token的方式,具体代码的结构与basic auth file的方式比较类似,代码不再赘述,主要功能是先从指定的.csv文件中把信息加载进来,存在服务端TokenAuthenticator实例的一个tokens的map中 tokens map[string]*user.DefaultInfo
serviceAccountAuth:saAuth实际上是token auth的变形,这里用到的是jwt(json web token)来进行具体的操作,具体的功能可以参考这个文章,本质上来说,saAuth也是一个token认证,只不过这个token是把一些信息加密(签名)之后生成的。大致介绍一下jwt,具体格式可以参考 这个文章 这里从实现的角度进行一些分析:
func newServiceAccountAuthenticator(keyfile string, lookup bool, helper tools.EtcdHelper) (authenticator.Request, error) { publicKey, err := serviceaccount.ReadPublicKey(keyfile) if err != nil { return nil, err } var serviceAccountGetter serviceaccount.ServiceAccountTokenGetter if lookup { // If we need to look up service accounts and tokens, // go directly to etcd to avoid recursive auth insanity serviceAccountGetter = serviceaccount.NewGetterFromEtcdHelper(helper) } tokenAuthenticator := serviceaccount.JWTTokenAuthenticator([]*rsa.PublicKey{publicKey}, lookup, serviceAccountGetter) return bearertoken.New(tokenAuthenticator), nil }
type ServiceAccountTokenGetter interface { GetServiceAccount(namespace, name string) (*api.ServiceAccount, error) GetSecret(namespace, name string) (*api.Secret, error) }
我们先看最后一部分 bearertoken.New(tokenAuthenticator)
,返回的Authenticator结构的AuthenticateRequest方法就和tokenauth中的一样,从Authorization字段中提取出bearer token,之后使用接口中的方法a.auth.AuthenticateToken(token)
进行验证,这里实际执行AuthenticateToken方法的是tokenAuthenticator对象(jwtTokenAuthenticator实例), func (j *jwtTokenAuthenticator) AuthenticateToken(token string)
函数代码较长,就不在赘述,其主要的功能是使用之前提取出来的公钥密钥对信息进行解密,得到 parsedToken
type Token struct { Raw string // The raw token. Populated when you Parse a token Method SigningMethod // The signing method used or to be used Header map[string]interface{} // The first segment of the token Claims map[string]interface{} // The second segment of the token Signature string // The third segment of the token. Populated when you Parse a token Valid bool // Is the token valid? Populated when you Parse/Verify a token }
之后提取出其中的Claims信息并进行检验,看是否符合要求,如果look up字段为true的话,就会根据标记在Claims中的namespace ,secretName ,serviceAccountName , 利用之前生成的ServiceAccountTokenGetter从etcd中取出已设置好的serviceaccount以及secret来进行身份验证,验证通过之后会返回user信息。
package main import ( //"crypto/rsa" "crypto/tls" "fmt" "github.com/GoogleCloudPlatform/kubernetes/pkg/serviceaccount" "github.com/dgrijalva/jwt-go" "io/ioutil" "net/http" ) const ( test1 = "test1" test2 = "test2" ) func main() { // Create the token token := jwt.New(jwt.SigningMethodRS256) // Set some claims token.Claims[test1] = "zjusel" token.Claims[test2] = "zjusel" // Sign and get the complete encoded token as a string //客户端用私钥进行加密 服务端用公钥进行解密 privateKey, err := serviceaccount.ReadPrivateKey("sa.key") fmt.Println(privateKey) if err != nil { fmt.Println(err.Error()) return } tokenString, err := token.SignedString(privateKey) if err != nil { fmt.Println(err.Error()) } fmt.Println("token string: ", tokenString) tr := &http.Transport{ TLSClientConfig: &tls.Config{ InsecureSkipVerify: true}, DisableCompression: true, } client := &http.Client{Transport: tr} url := "" reqest, err := http.NewRequest("GET", url, nil) reqest.Header.Set("Content-Type", "application/x-www-form-urlencoded") reqest.Header.Set("Authorization", "bearer "+tokenString) resp, err := client.Do(reqest) if err != nil { fmt.Println(err.Error()) return } body, _ := ioutil.ReadAll(resp.Body) fmt.Println(string(body)) }