第一部分、认证
kubernetes上的账号
kubectl explain pods.spec可以看到有一个字段serviceAccountName(服务账号名称),这个就是我们pod连接apiserver时使用的账号,整个kubernetes集群中的账号有两类,ServiceAccount(服务账号),User account(用户账号)
User account:实实在在现实中的人,人可以登陆的账号,客户端想要对apiserver发起请求,apiserver要识别这个客户端是否有请求的权限,那么不同的用户就会有不同的权限,靠用户账号表示,叫做username,这个是登陆k8s物理机器的用户
ServiceAccount:方便Pod里面的进程调用Kubernetes API或其他外部服务而设计的,是kubernetes中的一种资源。service account仅局限它所在的namespace,当创建 pod 的时候,如果没有指定一个 serviceaccount,系统会自动在与该pod 相同的 namespace 下为其指派一个default service account。而pod和apiserver之间进行通信的账号,称为serviceAccountName。
[root@master ~]# vim read-pod.yaml
kind: Pod
apiVersion: v1
metadata:
name: read-pod
spec:
containers:
- name: read-pod
image: nginx
imagePullPolicy: IfNotPresent
[root@master ~]# kubectl apply -f read-pod.yaml
pod/read-pod created
[root@master ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
read-pod 1/1 Running 0 4s
[root@master ~]# kubectl get pod read-pod -oyaml |grep service
serviceAccount: default
serviceAccountName: default
[root@master ~]# kubectl get namespaces
NAME STATUS AGE
default Active 1d
[root@master ~]# kubectl get sa
NAME SECRETS AGE
default 1 8d
[root@master ~]# kubectl get sa -n kube-system
NAME SECRETS AGE
bootstrap-signer 1 1d
calico-node 1 1d
certificate-controller 1 1d
clusterrole-aggregation-controller 1 1d
coredns 1 1d
...
[root@master ~]# kubectl get secrets
NAME TYPE DATA AGE
default-token-86dcd kubernetes.io/service-account-token 3 1d
[root@master ~]# kubectl get secret -n kube-system
NAME TYPE DATA AGE
bootstrap-signer-token-j9nf6 kubernetes.io/service-account-token
calico-node-token-8fdpx kubernetes.io/service-account-token
certificate-controller-token-8c7rb kubernetes.io/service-account-token
...创建一个serviceacount
[root@master ~]# kubectl explain sa
[root@master ~]# kubectl create serviceaccount test
serviceaccount/test created
[root@master ~]# kubectl get sa
NAME SECRETS AGE
default 1 1d
test 1 12s
[root@master ~]# kubectl describe sa test
Name: test
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: test-token-lfr9f
Tokens: test-token-lfr9f
Events: <none>生成serviceaccount时会创建secret,通过describe secret来查看 token。这个token能够登陆k8s,能认证到k8s,但是不能做别的事情,想要做其他事情,需要授权
[root@master ~]# kubectl get secrets
NAME TYPE DATA AGE
default-token-86dcd kubernetes.io/service-account-token 3 1d
test-token-lfr9f kubernetes.io/service-account-token 3 3m34s
[root@master ~]# kubectl describe secrets test-token-lfr9f
Name: test-token-lfr9f
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: test
kubernetes.io/service-account.uid: b02d013f-dfa4-46d2-a8a2-6d0f27402a7b
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6InlPVVR4aFY3OEgzbWdkZnVFM2kzMlMiOiJrdWJlcm5....[root@master ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.1.11:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED第二部分、授权
Kubernetes的授权是基于插件形式的,主要的授权插件RBAC(基于角色的访问控制)
两个角色绑定:
(1)用户通过rolebinding绑定role
(2)用户通过clusterrolebinding绑定clusterrole
(3)rolebinding绑定clusterrole
每个名称空间的用户都需要对自己的名称空间有管理员权限,role和rolebinding绑定,就会拥有自己名称空间的管理员权限了。如果名称空间更多,我们需要定义更多的role,这个是很麻烦的,所以我们引入clusterrole,对clusterrole授予所有权限,然后用户通过rolebinding绑定到clusterrole,就会拥有该名称空间的管理员权限了
[root@master ~]# kubectl get role -n kube-system
NAME CREATED AT
extension-apiserver-authentication-reader 2021-12-10T14:18:31Z
kube-proxy 2021-12-10T14:18:33Z
kubeadm:kubelet-config-1.18 2021-12-10T14:18:32Z[root@master ~]# kubectl get rolebinding -n kube-system
NAME ROLE AGE
kube-proxy Role/kube-proxy 18d
kubeadm:kubelet-config-1.18 Role/kubeadm:kubelet-config-1.18 18d
kubeadm:nodes-kubeadm-config Role/kubeadm:nodes-kubeadm-config 18d[root@master ~]# kubectl get clusterrole
NAME CREATED AT
admin 2021-12-10T14:18:31Z
calico-node 2021-12-10T15:05:47Z
cluster-admin 2021-12-10T14:18:31Z[root@master ~]# kubectl get clusterrolebinding
NAME ROLE AGE
calico-node ClusterRole/calico-node 18d
cluster-admin ClusterRole/cluster-admin 18dkubernetes 中的认证机制 自己多读文档学吧
通过token登陆dashboard界面
[root@master ~]# kubectl get pods -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-694557449d-czn7l 1/1 Running 14 18d
kubernetes-dashboard-5f98bdb684-qxqz4 1/1 Running 17 18d
[root@master ~]# kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
dashboard-metrics-scraper ClusterIP 10.103.54.188 <none> 8000/TCP
kubernetes-dashboard NodePort 10.109.53.21 <none> 443:31152/TCP浏览器访问https://192.168.1.11:31152/选择tokent登入dashboard
(1)使用default的token登入,会发现没有任何权限
[root@master ~]# kubectl get sa
NAME SECRETS AGE
default 1 18d
[root@master ~]# kubectl describe sa default
Name: default
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: default-token-86dcd
Tokens: default-token-86dcd
Events: <none>
[root@master ~]# kubectl describe secrets default-token-86dcd
Name: default-token-86dcd
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: 22452d24-2c52-450e-9bc0-b2bee660aaf7
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6InlPVVR4aFY3OEgzbWdkZnVFM2kzMlMyW...(2)使用kubernetes-dashboard的token登入
[root@master ~]# kubectl get ns
NAME STATUS AGE
kubernetes-dashboard Active 18d
[root@master ~]# kubectl get sa -n kubernetes-dashboard
NAME SECRETS AGE
kubernetes-dashboard 1 18d
[root@master ~]# kubectl get secrets -n kubernetes-dashboard
NAME TYPE DATA AGE
kubernetes-dashboard-token-dkd5b kubernetes.io/service-account-token 3 18d
[root@master ~]# kubectl describe secrets kubernetes-dashboard-token-dkd5b -n kubernetes-dashboard
token: eyJhbGciOiJSUzI1NiIsImtpZCI6InlPVVR4aFYNNUVReX创建新的serviceaccount用户lucky,做rolebinding绑定,登入
[root@master ~]# kubectl create namespace lucky
[root@master ~]# kubectl create serviceaccount lucky-admin -n lucky
[root@master ~]# kubectl create rolebinding lucky-admin-rolebinding -n lucky --clusterrole=cluster-admin --serviceaccount=lucky:lucky-admin
创建lucky-admin-rolebinding的rolebinding,clusterrole为cluster-admin(这个role可以查如下),serviceaccount为lucky命名空间下的lucky-admin
[root@master ~]# kubectl get clusterrole
NAME CREATED AT
cluster-admin 2021-12-10T14:18:31Z
[root@master ~]# kubectl get secret -n lucky
NAME TYPE DATA AGE
default-token-gwzv7 kubernetes.io/service-account-token 3 60s
lucky-admin-token-zh7xd kubernetes.io/service-account-token 3 49s
[root@master ~]# kubectl describe secret lucky-admin-token-zh7xd -n lucky
token: eyJhbGciOiJSUzI1NiIsImtpZCI6InlPVVR4aFY3OEgzbWdkZnVFM2kzMlMyWGFC...刷新页面用lucky的token登入,命名空间输入lucky可以看到secret,也可以创建pod等,但是对于别的空间,没有任何权限。
[root@master ~]# kubectl get pod -n lucky
NAME READY STATUS RESTARTS AGE
read-pod 1/1 Running 0 3m30s给lucky做clusterrolebinding,clusterrolebinding不需要指定命名空间
[root@master ~]# kubectl create clusterrolebinding lucky-admin-clusterrole --clusterrole=cluster-admin --serviceaccount=lucky:lucky-admin
[root@master ~]# kubectl get sa -n lucky
NAME SECRETS AGE
lucky-admin 1 45m
[root@master ~]# kubectl get secrets -n lucky
NAME TYPE DATA AGE
lucky-admin-token-zh7xd kubernetes.io/service-account-token 3 45m
[root@master ~]# kubectl describe secrets lucky-admin-token-zh7xd -n lucky
token: eyJhbGciOiJSUzI1NiIsImtpZCI6InlPVVR4aFY3OEgzbWdkZnVFM2kzMlMyWGFCNk1mUjhNNUVReXd再次用lucky的token登入发现,拥有了所有的权限
使用kubeconfig登入
cd /etc/kubernetes/pki
(1)创建cluster
[root@master ~]# cd /etc/kubernetes/pki/
[root@master pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://192.168.1.11:6443" --embed-certs=true --kubeconfig=/root/lucky-admin.conf
(2)创建credentials时需要使用上面我门创建的token信息,创建credentials。
[root@master pki]# kubectl get secret -n lucky
NAME TYPE DATA AGE
lucky-admin-token-zh7xd kubernetes.io/service-account-token 3 75m
[root@master pki]# DEF_NS_ADMIN_TOKEN=$(kubectl get secret lucky-admin-token-zh7xd -n lucky -o jsonpath={.data.token}|base64 -d)
[root@master pki]# kubectl config set-credentials lucky --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=/root/lucky-admin.conf
(3)创建context
[root@master pki]# kubectl config set-context lucky@kubernetes --cluster=kubernetes --user=lucky --kubeconfig=/root/lucky-admin.conf
Context "lucky@kubernetes" created.
(4)切换context的current-context是lucky@kubernetes
[root@master pki]# kubectl config use-context lucky@kubernetes --kubeconfig=/root/lucky-admin.conf
将/root/lucky-admin.conf拷贝到桌面。浏览器选择kubeconfig登录,此时能够成功登录
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
