k8s认证及serviceAccount、userAccount
1.概述
用kubectl向apiserver发起的命令,采用的是http方式,K8s支持多版本并存.
kubectl的认证信息存储在~/.kube/config,所以用curl无法直接获取apis中的信息,可以采用代理方式
kubectl proxy --port=8080
# HTTP request action,如get,post,put,delete,
# 这些action映射到k8s中,有:get,list,create,udate,patch,watch,proxy,redirect,delete
curl http://127.0.0.1:8080/apis/apps/v1/namespaces/kube-system/deployments
kubectl describe svc kubernetes
Name: kubernetes
Namespace: default
Labels: component=apiserver
provider=kubernetes
Annotations: <none>
Selector: <none>
Type: ClusterIP
IP: 10.96.0.1
Port: https 443/TCP
TargetPort: 6443/TCP
Endpoints: 10.0.0.10:6443
Session Affinity: None
Events: <none>
10.96.0.1是kubernetes apiserver的地址,实现了通过10.96.0.1访问10.0.0.10:6443
# serviceAccount已经被替换成serviceAccountName
# apiServer验证用户和pod,它俩分别使用userAccount和serviceAccount
kubectl create serviceaccount mysa -o yaml --dry-run
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
name: mysa
# 创建其它资源时,可以参考系统标准的模板
kubectl get pods myapp-1 -o yaml --export
2.创建serviceAccount
kubectl create serviceaccount admin
kubectl get sa
NAME SECRETS AGE
admin 1 10s
default 1 15d
# 这个sa目前只存在于default名称空间
kubectl describe sa admin
kubectl get secret
NAME TYPE DATA AGE
admin-token-bqcpl kubernetes.io/service-account-token 3 53s
default-token-g7t2x kubernetes.io/service-account-token 3 15d
# 用配置清单把serviceaccount和pod绑定起来,这表示该pod使用自定义的验证信息admin
cat pod-sa-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-sa-demo
namespace: default
labels:
app: myapp
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
serviceAccountName: admin
# kubeconfig是客户端连接apiserver时使用的认证格式的配置文件
# context定义哪个集群被哪个用户访问,current-context当前是用的是哪个context
kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.0.0.10:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
3.创建useraccount
# 证书存放位置 cd /etc/kubernetes/pki/ # 做一个私钥,生成lixiang.key (umask 077; openssl genrsa -out lixiang.key 2048) # 基于私钥生成一个证书,生成lixiang.csr,CN就是用户账号名 openssl req -new -key lixiang.key -out lixiang.csr -subj "/CN=lixiang" # 签发证书,生成lixiang.crt,-days:表示证书的过期时间,x509:生成x509格式证书 openssl x509 -req -in lixiang.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out lixiang.crt -days 365 # 查看证书内容 openssl x509 -in lixiang.crt -text -noout # 把用户账户信息添加到当前集群中,embed-certs=true隐藏证书信息 kubectl config set-credentials lixiang --client-certificate=lixiang.crt --client-key=lixiang.key --embed-certs=true # 设置该用户可以访问kubernetes集群 kubectl config set-context lixiang@kubernetes --cluster=kubernetes --user=lixiang # 切换到lixiang用户,登录k8s,可以看到lixiang用户没有管理器权限 kubectl config use-context lixiang@kubernetes # 切回k8s管理员 kubectl config use-context kubernetes-admin@kubernetes # 创建一个新的k8s集群,--kubeconfig:指定集群配置文件存放位置 kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://127.0.0.1:6443" \ --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true kubectl config view --kubeconfig=/tmp/test.conf
参考博客:http://blog.itpub.net/28916011/viewspace-2215100/
