分享交流
合作共赢!
        找回密码
当前位置:琼杰笔记 kubernetes 正文

Kubernetes/K8S基础使用方法总结【十】——serviceaccount认证

2020-05-26 分类:kubernetes 阅读(3368) 评论(0)

一、简介

1.简述

api server是管理和使用kubernetes的访问入口,api分为众多群组,需要连入api server的所有组件,如schedule、controller manager等,都需要api server进行私钥、ssl证书、token令牌等方式的认证,认证用于身份识别,授权用于权限检查,认证信息保存在kubeconfig客户端配置文件中。

2.代理方式请求api server

创建代理

[root@master1 ~]# kubectl proxy --port=8090

此方式由于代理proxy和kubernetes有过认证,所以可以直接通过proxy的方式发起请求。例如,通过代理查看资源实例:

查看deployment信息:

[root@master1 ~]# curl http://localhost:8090/apis/apps/v1/namespaces/kubectl-system/deployments
{
  "kind": "DeploymentList",
  "apiVersion": "apps/v1",
  "metadata": {
    "selfLink": "/apis/apps/v1/namespaces/kubectl-system/deployments",
    "resourceVersion": "751447"
  },
  "items": []
}

查看api群组下名称空间namespaces信息

[root@master1 ~]# curl http://localhost:8090/api/v1/namespaces

通用访问路径,Object URL

/apis/<GROUP>/<VERSION>/namespaces/<NAMESPACE_NAME>/<KIND>[/OBJECT_ID]/

二、serviceaccount(简称sa)

创建和查看serviceaccount,创建后会自动生成admin的token信息:

[root@master1 volumes]# kubectl create serviceaccount admin
serviceaccount/admin created
[root@master1 volumes]# kubectl get sa
NAME      SECRETS   AGE
admin     1         8s
default   1         13d
[root@master1 volumes]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
admin-token-xrz4c     kubernetes.io/service-account-token   3      20s
default-token-5wbc9   kubernetes.io/service-account-token   3      13d
mysql-root-password   Opaque                                1      2d21h

指定pod使用自定义的sa账号admin:

apiVersion: v1
kind: Pod
metadata:
  name: podcm1
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    qjbj.com/created.by: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
  serviceAccountName: admin
  • kuebctl  create serviceaccount mysa -o yaml –dry-run: 可以以yaml格式输出需要编写的yaml文件内容,也可以重定向到某个文件中。其中–dry-run可以对命令进行测试
  • kubectl config view: 查看配置信息常用选项;

Notes:

快速创建资源小技巧:

1.如果资源支持kubectl create命令创建,可以添加–dry-run -o yaml选项,重定向到yaml文件;

2.kubectl get pods PODNAME -o yaml –export,以yaml文件格式导出当前pod资源到配置文件;

三、kubernetes配置相关

1.kubeconfig

kubeconfig客户端配置文件操作命令为kubectl config,默认配置文件为用户家目录,相关操作说明如下:

[root@master1 volumes]# kubectl config --help
Modify kubeconfig files using subcommands like "kubectl config set current-context my-context"

 The loading order follows these rules:

  1.  If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once
and no merging takes place.
  2.  If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path
delimiting rules for your system). These paths are merged. When a value is modified, it is modified
in the file that defines the stanza. When a value is created, it is created in the first file that
exists. If no files in the chain exist, then it creates the last file in the list.
  3.  Otherwise, ${HOME}/.kube/config is used and no merging takes place.

Available Commands:
  current-context Displays the current-context
  delete-cluster  Delete the specified cluster from the kubeconfig
  delete-context  Delete the specified context from the kubeconfig
  get-clusters    Display clusters defined in the kubeconfig
  get-contexts    Describe one or many contexts
  rename-context  Renames a context from the kubeconfig file.
  set             Sets an individual value in a kubeconfig file
  set-cluster     Sets a cluster entry in kubeconfig
  set-context     Sets a context entry in kubeconfig
  set-credentials Sets a user entry in kubeconfig
  unset           Unsets an individual value in a kubeconfig file
  use-context     Sets the current-context in a kubeconfig file
  view            Display merged kubeconfig settings or a specified kubeconfig file
Usage:
  kubectl config SUBCOMMAND [options]

Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).

查看配置文件相关信息:

[root@master1 volumes]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://k8s-api.ilinux.io:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

四、使用openssl创建证书和私钥进行认证

使用openssl创建证书和私钥,进行测试验证

1.制作私钥:

此内容查看价格4.99立即购买

查看配置文件信息:

[root@master1 pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://k8s-api.ilinux.io:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: jakeli
  user:
    client-certificate: /etc/kubernetes/pki/jakeli.crt
    client-key: /etc/kubernetes/pki/jakeli.key
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

6.创建集群配置文件,配置文件默认为用户家目录,可通过配置选项–kubeconfig进行更改

[root@master1 ~]# kubectl config set-cluster jakelicluster --kubeconfig=/tmp/test.conf --server="https://192.168.222.150:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
Cluster "jakelicluster" set.

查看自定义cluster信息

[root@master1 ~]# kubectl config view --kubeconfig=/tmp/test.conf
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.222.150:6443
  name: jakelicluster
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null

7.设置Context上下文使用户jakeli可以访问集群

[root@master1 pki]# kubectl config set-context jakeli@kubernetes --cluster=kubernetes --user=jakeli
Context "jakeli@kubernetes" created.

查看此时的config信息

[root@master1 ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://k8s-api.ilinux.io:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: jakeli
  name: jakeli@kubernetes
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: jakeli
  user:
    client-certificate: /etc/kubernetes/pki/jakeli.crt
    client-key: /etc/kubernetes/pki/jakeli.key
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

8.切换用户账号(当前上下文),此时的jakeli因没有授权任何权限,所以无法查看pod相关信息,后续介绍授权操作后即可有相应的操作权限。

[root@master1 pki]# kubectl config use-context jakeli@kubernetes
Switched to context "jakeli@kubernetes".
[root@master1 pki]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "jakeli" cannot list resource "pods" in API group "" in the namespace "default"

五、使用Token认证

1.创建serviceaccount

 

赞(0) 打赏
未经允许不得转载:琼杰笔记 » Kubernetes/K8S基础使用方法总结【十】——serviceaccount认证
分享到

相关推荐

评论 抢沙发

评论前必须登录!

 

2024年 4月
 1
2345678
9101112131415
16171819202122
23242526272829
3031  
吐血推荐

wordpress转型docker运行,数据持久化并定期与github更新同步

将wordpress传统的lnmp等部署架构转型为docker容器化,所有数据包括mysql数据库、wordpress站点静态资源全部托管到github,并实现一键部署,数据持久化。另外这些数据会通过cronjob定期和github自动同步,目前所访问的站点极为容器托管。

分类

分享交流,合作共赢!

联系我们加入QQ群

觉得文章有用就打赏一下文章作者

非常感谢你的打赏,我们将继续给力更多优质内容,让我们一起创建更加美好的网络世界!

支付宝扫一扫打赏

微信扫一扫打赏

登录

找回密码

注册