kubernetes认证及serviceaccount
认证
授权:
RBAC(目前的主流授权方式)
准入控制:
了解即可
--> 认证
授权 准入控制
客户端 --》api-server:
user: username,uid
group:
extra:
API
Request path
serviceaccount
k8s的资源如果支持create 那么可以使用--dry-run来生成清单配置
--dry-run
获取单个pod的清单配置
[root@k8s-master ~]# kubectl get pods pod-cm-nginx-3 -o yaml --export
[root@k8s-master ~]# kubectl get sa
NAME SECRETS AGE
default 1 6d17h
[root@k8s-master ~]# kubectl create serviceaccount admin
serviceaccount/admin created
kubernetes集群有两类认证值的用户账号
1.useraccount 用户,人的账号
2.serviceaccount 服务账号,pod等资源想访问k8s中apiservice时候里面需要用到的认证信息,包括用户名,密码等
为pod获取私有镜像images的两种方式:
1.使用imagepullsecreit字段指定
2.使用sa(serviceaccount)
kubectl 是怎么认证
kubectl config
kubeconfig
[root@k8s-master ~]# kubectl config view
连接apiserver
[root@k8s-master pki]# (umask 077 ; openssl genrsa -out magedu.key 2048)
Generating RSA private key, 2048 bit long modulus
............+++
.......+++
e is 65537 (0x10001)
[root@k8s-master pki]# openssl req -new -key magedu.key -out magedu.csr -subj "/CN=magedu"
[root@k8s-master pki]# openssl x509 -req -in magedu.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out magedu.crt -days 365
Signature ok
subject=/CN=magedu
Getting CA Private Key
添加到k8s集群可以认证:
[root@k8s-master pki]# kubectl config set-credentials magedu --client-certificate=./magedu.crt --client-key=./magedu.key --embed-certs=true
User "magedu" set.
[root@k8s-master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.250.0.89:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: magedu
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@k8s-master pki]# kubectl config set-context magedu@kubernetes --cluster=kubernetes --user=magedu
Context "magedu@kubernetes" created.
[root@k8s-master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.250.0.89:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: magedu
name: magedu@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: magedu
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
切换上下文:
[root@k8s-master pki]# kubectl config use-context magedu@kubernetes
Switched to context "magedu@kubernetes".
[root@k8s-master pki]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "magedu" cannot list resource "pods" in API group "" in the namespace "default"
切换回admin
[root@k8s-master pki]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
定义集群:
[root@k8s-master pki]# kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://172.20.0.70:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
Cluster "mycluster" set.
[root@k8s-master pki]# kubectl config view --kubeconfig=/tmp/test.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.20.0.70:6443
name: mycluster
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
通过magedu去访问k8s集群