k8s认证及serviceAccount、userAccount

时间:2024-02-18 17:56:37

1.概述

用kubectl向apiserver发起的命令,采用的是http方式,K8s支持多版本并存.

kubectl的认证信息存储在~/.kube/config,所以用curl无法直接获取apis中的信息,可以采用代理方式

kubectl proxy --port=8080
# HTTP request action,如get,post,put,delete,
# 这些action映射到k8s中,有:get,list,create,udate,patch,watch,proxy,redirect,delete
curl http://127.0.0.1:8080/apis/apps/v1/namespaces/kube-system/deployments

kubectl describe svc kubernetes
Name:              kubernetes
Namespace:         default
Labels:            component=apiserver
                   provider=kubernetes
Annotations:       <none>
Selector:          <none>
Type:              ClusterIP
IP:                10.96.0.1
Port:              https  443/TCP
TargetPort:        6443/TCP
Endpoints:         10.0.0.10:6443
Session Affinity:  None
Events:            <none>

10.96.0.1是kubernetes apiserver的地址,实现了通过10.96.0.1访问10.0.0.10:6443
# serviceAccount已经被替换成serviceAccountName
# apiServer验证用户和pod,它俩分别使用userAccount和serviceAccount
kubectl create  serviceaccount  mysa -o yaml --dry-run
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: null
  name: mysa

# 创建其它资源时,可以参考系统标准的模板
kubectl get pods myapp-1 -o yaml --export

2.创建serviceAccount

kubectl create serviceaccount admin
kubectl get sa
NAME      SECRETS   AGE
admin     1         10s
default   1         15d
# 这个sa目前只存在于default名称空间
kubectl describe sa admin
kubectl get secret
NAME                   TYPE                                  DATA   AGE
admin-token-bqcpl      kubernetes.io/service-account-token   3      53s
default-token-g7t2x    kubernetes.io/service-account-token   3      15d

# 用配置清单把serviceaccount和pod绑定起来,这表示该pod使用自定义的验证信息admin
cat pod-sa-demo.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: pod-sa-demo
  namespace: default
  labels:
    app: myapp
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
  serviceAccountName: admin 

# kubeconfig是客户端连接apiserver时使用的认证格式的配置文件
# context定义哪个集群被哪个用户访问,current-context当前是用的是哪个context
kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://10.0.0.10:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

3.创建useraccount

# 证书存放位置
cd /etc/kubernetes/pki/
# 做一个私钥,生成lixiang.key
(umask 077; openssl genrsa -out lixiang.key 2048)
# 基于私钥生成一个证书,生成lixiang.csr,CN就是用户账号名
openssl req -new -key lixiang.key -out lixiang.csr -subj "/CN=lixiang"
# 签发证书,生成lixiang.crt,-days:表示证书的过期时间,x509:生成x509格式证书 
openssl  x509 -req -in lixiang.csr -CA ca.crt -CAkey ca.key  -CAcreateserial -out lixiang.crt -days 365
# 查看证书内容
openssl x509 -in lixiang.crt -text -noout
# 把用户账户信息添加到当前集群中,embed-certs=true隐藏证书信息
kubectl config set-credentials lixiang --client-certificate=lixiang.crt --client-key=lixiang.key --embed-certs=true
# 设置该用户可以访问kubernetes集群
kubectl config set-context lixiang@kubernetes --cluster=kubernetes --user=lixiang
# 切换到lixiang用户,登录k8s,可以看到lixiang用户没有管理器权限
kubectl config use-context lixiang@kubernetes
# 切回k8s管理员
kubectl config use-context kubernetes-admin@kubernetes
# 创建一个新的k8s集群,--kubeconfig:指定集群配置文件存放位置
kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://127.0.0.1:6443" \
--certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
kubectl config view --kubeconfig=/tmp/test.conf

 

参考博客:http://blog.itpub.net/28916011/viewspace-2215100/