博观而约取,厚积而薄发。这篇文章主要讲述k8s-apiServer认证相关的知识,希望能为你提供帮助。
1.apiServer介绍1.1apiServer介绍
kube-apiserver是k8s核心组件之一,主要提供以下功能:
1.提供集群管理的REST API接口,包括认证、授权、数据校验及集群状态变更。
2.提供与其他模块之间的数据交互和通信。
其他模块通过api server查询或修改数据,只有api server才能直接操作etcd
1.2访问控制流程
k8s API的每个请求都会经过多阶段的访问控制后才能进行相应的逻辑处理,这些访问控制包含 认证、授权、准入控制(admission webhook)。
Authentication Authorization:认证、鉴权逻辑
Mutating admission:是一个webhook,可以在用户apply yaml后,通过逻辑处理来修改用户的yaml,设置一些默认值。
istio会为每个pod注入一个sideCar就是因为 mutate webhook在用户的yaml中新增了一个container配置。
Object Schema Validation:k8s自带的yaml字段校验逻辑
【k8s-apiServer认证】Validating admission:是一个webhook,用于校验yaml中的内容,多用于自定义资源的yaml的校验。
1.3访问控制细节
authentication:认证
audit:审计日志,记录哪个用户做了哪些操作
impersonation:伪装成其他用户,据说rancher使用了该功能
max-in-flight:api-server可以并发处理的请求数
authorization:鉴权
kube-aggregator:keda这个项目就使用了api-server的aggregate功能,使得部分到达api-server的请求,可以到达我们写的逻辑中。
2.认证插件-静态token文件2.1介绍
使用静态Token文件认证只需要API Server启动时配置--token-auth-file=tokenFile
该文件为csv格式,每行至少包括三列token,username,user id,
token,user,uid,"group1,group2,group3”
2.2操作示例
1.准备token文件token为cncamp-token
user为cncamp
mkdir -p /etc/kubernetes/auth
cp static-token /etc/kubernetes/auth
root@ubuntu-focal:/etc/kubernetes/auth# cat static-token
cncamp-token,cncamp,1000,"group1,group2,group3"
2.备份api-server.yamlroot@ubuntu-focal:/etc/kubernetes/auth# cd /etc/kubernetes/manifests/
root@ubuntu-focal:/etc/kubernetes/manifests# ll
total 32
drwxr-xr-x 2 root root 4096 Jan 29 12:57 ./
drwxr-xr-x 5 root root 4096 Jan 29 12:50 ../
-rw------- 1 root root 2232 Jan 29 12:13 etcd.yaml
-rw------- 1 root root 4256 Jan 29 12:57 kube-apiserver.yaml
-rw------- 1 root root 4018 Jan 29 12:51 kube-apiserverbak.yaml
-rw------- 1 root root 3560 Jan 29 12:13 kube-controller-manager.yaml
-rw------- 1 root root 1479 Jan 29 12:13 kube-scheduler.yaml
root@ubuntu-focal:/etc/kubernetes/manifests# cp kube-apiserver.yaml kube-apiserverbak.yam
3.修改apiserver yaml修改的地方有如下几处
- --token-auth-file=/etc/kubernetes/auth/static-token
- mountPath: /etc/kubernetes/auth
name: auth-files
readOnly: true
- hostPath:
path: /etc/kubernetes/auth
type: DirectoryOrCreate
name: auth-files
修改后的yaml如下
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.2.15:6443
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.0.2.15
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
- --token-auth-file=/etc/kubernetes/auth/static-token
image: registry.aliyuncs.com/google_containers/kube-apiserver:v1.22.2
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
host: 10.0.2.15
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
name: kube-apiserver
readinessProbe:
failureThreshold: 3
httpGet:
host: 10.0.2.15
path: /readyz
port: 6443
scheme: HTTPS
periodSeconds: 1
timeoutSeconds: 15
resources:
requests:
cpu: 250m
startupProbe:
failureThreshold: 24
httpGet:
host: 10.0.2.15
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
volumeMounts:
- mountPath: /etc/ssl/certs
name: ca-certs
readOnly: true
- mountPath: /etc/ca-certificates
name: etc-ca-certificates
readOnly: true
- mountPath: /etc/pki
name: etc-pki
readOnly: true
- mountPath: /etc/kubernetes/pki
name: k8s-certs
readOnly: true
- mountPath: /usr/local/share/ca-certificates
name: usr-local-share-ca-certificates
readOnly: true
- mountPath: /usr/share/ca-certificates
name: usr-share-ca-certificates
readOnly: true
- mountPath: /etc/kubernetes/auth
name: auth-files
readOnly: true
hostNetwork: true
priorityClassName: system-node-critical
securityContext:
seccompProfile:
type: RuntimeDefault
volumes:
- hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
name: ca-certs
- hostPath:
path: /etc/ca-certificates
type: DirectoryOrCreate
name
推荐阅读
- powershell 向内部证书颁发机构申请证书
- 回首图扑软件 2021,展望未来
- 如何判断NSMutableDictionary是否有某个key
- 8中Linux查看ip地址的方法
- 华为海思芯片如果很好,为什么手机大量使用别人的芯片
- Redis5.0集群安装配置
- 打磨TF卡叠加SIM的注意问题
- 虚拟机导入ESXI故障处理实例
- no version information available的解决办法