创建openssl证书,实现集群外访问k8s api
创建认证信息
首先假设你装好了openssl (没装执行 sudo yum install openssl openssl-devel)
1、创建一个文件夹叫做 openssl-cert/
$ mkdir -p ~/openssl-cert && cd ~/openssl-cert2、执行
- 生成key
$ openssl genrsa -out admin.key 2048(这一步是生成客户端私钥)
$ openssl req -new -key admin.key -out admin.csr -subj "/CN=admin/"(根据私钥生成csr, /CN指定了用户名admin)
3、生成证书
$ sudo openssl x509 -req -in admin.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out admin.crt -days 365(根据k8s的CA证书生成我们用户的客户端证书)
证书反解
如果你忘了证书设置的CN(Common name)是啥 可以用下面的命令搞定
$ openssl x509 -noout -subject -in admin.crt或者加上-text 以文本形式打印当前证书
使用证书
查看集群的endpoints
$ kubectl get endpoints
NAME ENDPOINTS AGE
kubernetes 192.168.0.41:6443 11m查看集群的版本:
$ curl --cert ./admin.crt --key ./admin.key \
--cacert /etc/kubernetes/pki/ca.crt -s https://192.168.0.41:6443/version
{
"major": "1",
"minor": "22",
"gitVersion": "v1.22.0",
"gitCommit": "c2b5237ccd9c0f1d600d3072634ca66cefdf272f",
"gitTreeState": "clean",
"buildDate": "2021-08-04T17:57:25Z",
"goVersion": "go1.16.6",
"compiler": "gc",
"platform": "linux/amd64"
}查看POD:
$ curl --cert ./admin.crt --key ./admin.key \
--cacert /etc/kubernetes/pki/ca.crt -s https://192.168.0.41:6443/api/v1/pods
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "pods is forbidden: User \"admin\" cannot list resource \"pods\" in API group \"\" at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}能够看到我们的请求被拦截了,原因是禁止访问,这是因为授权没有通过。
加入到kubeconfig
把client.crt加入到~/.kube/config
$ kubectl config set-credentials admin \
--client-certificate=admin.crt \
--client-key=admin.key \
--embed-certs=true这一步把用户设置到config文件中。也可以加上“--embed-certs=true”选项,直接将文件内容填充到config文件中。
添加一个context
$ kubectl config set-context admin \
--cluster=kubernetes \
--user=admin添加完成后config文件变化:
...
contexts:
- context:
cluster: kubernetes
user: admin
name: admin
..
切换context:
$ kubectl config use-context admin
此时访问再次查看pod:
$ kubectl get pods
Error from server (Forbidden): pods is forbidden: User "admin" cannot list resource "pods" in API group "" in the namespace "default"能够看到是被禁止访问的。说明我们的请求没有经过授权(Authorization)。
添加角色和绑定角色
需要先切换上下文到用户kubernetes-admin下:
$ kubectl config use-context kubernetes-admin为此我们需要使用RABC为用户admin授予操作权限
$ kubectl create role developer \
--verb=create \
--verb=get \
--verb=list \
--verb=update \
--verb=delete \
--resource=pods
绑定角色:
$ kubectl create rolebinding developer-binding-admin --role=developer --user=admin注意:以上所绑定的role,默认只能访问default命名空间下的POD,添加-n选项,指定能访问的命名空间
切回到admin用户下,创建Nginx POD
$ kubectl run nginx --image=nginx再次查看POD,请求没有被拦截
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 117s以API方式,访问默认命名空间下的内容,也能正常访问
$ curl --cert admin.crt \
--key admin.key \
--cacert /etc/kubernetes/pki/ca.crt \
https://192.168.0.41:6443/api/v1/namespaces/default/pods
{
"kind": "PodList",
"apiVersion": "v1",
"metadata": {
"resourceVersion": "2714"
},
"items": [
{
"metadata": {
"name": "nginx",
"namespace": "default",
"uid": "e5b9381c-a1ca-4632-abb0-afbc9cb56e0b",
"resourceVersion": "2682",
"creationTimestamp": "2022-11-08T13:05:54Z",
"labels": {
"run": "nginx"
},
"managedFields": [
{
...
删除POD:
$ kubectl delete pod/nginx
pod "nginx" deleted
访问default命名空间下的service和deploy
$ kubectl get svc,deploy
Error from server (Forbidden): services is forbidden: User "admin" cannot list resource "services" in API group "" in the namespace "default"
Error from server (Forbidden): deployments.apps is forbidden: User "admin" cannot list resource "deployments" in API group "apps" in the namespace "default"请求被拦截,没有访问权限。这是因为上面我们在创建角色的时候,指定了只能访问POD,如果想要访问其他资源,修改角色即可。
在APIFOX中测试
将上面的server.crt和server.key下载,并导入到apifox中
请求API:/api/v1/namespaces/default/pods
参考:
在Kubernetes中如何生成证书:https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/certificates/#cfssl
如何管理集群中的TLS证书:https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
