1. 认证

1.1 token登录

1.1.1 生成token

1
openssl rand -hex 10

1.1.2 创建认证文件

1
2
cat /etc/kubernetes/pki/ren.csv
d4cd5cf1f44fc9232f4c,ren,3

1.1.3 修改kube-api配置

1
- --token-auth-file=/etc/kubernetes/pki/ren.csv

1.1.4 重启kubelet

1
systemctl restart kubelet

1.1.5 登录

1
kubectl -s https://172.17.203.55:6443 --insecure-skip-tls-verify=true --token="d4cd5cf1f44fc9232f4c" get nodes

1.2 kubeconfig登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@node001 chap11-helm]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.17.203.55:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: chap11-helm
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED

kubeconfig文件由3部分组成
1.集群信息
 1.集群的证书
 2.集群的地址
2.上下文信息
 1.集群信息
 2.用户

3.用户信息
 1.用户的证书
 2.用户的私钥

1.2.1 创建kubeconfig

复制ca

1
cp /etc/kubernetes/pki/ca.crt .

创建私钥

1
openssl genrsa -out ren.key 2048

生成证书请求文件

1
openssl req -new -key ren.key -subj "/CN=ren" -out ren.csr

转为base64

1
cat ren.csr |base64|tr -d "\n"

创建证书申请yaml
[root@node001 aa]# cat csr.yaml

1
2
3
4
5
6
7
8
9
10
11
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ren
spec:
groups:
- system:authenticated
signerName: kubernetes.io/kube-apiserver-client
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1V6Q0NBVHNDQVFBd0RqRU1NQW9HQTFVRUF3d0RjbVZ1TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQwpBUThBTUlJQkNnS0NBUUVBclpkYjNuamVGaTUyUW8veU12cnZaQUUxLzZaaVI2MnVya0ZFV1pUdVVrbFN4MnlvClZZNW01NEkyV05mWE15WDExakxpT1lmamhpd0RrWldnbURhQUE2UjlncU04NTFkbDhLR1l0a3VpbVZhbzZhMXEKM3ROb3VyMG91ZU1OalFZZ0YvOUtNTWM3bFJ4bUM3R1RpSWhKdEpVMGJuZzdnUkdEUm1SMDZITXIzQjB3OFpWTgpoSVYrVGV5UTI4VkloUnBuVjcxaFUyYzVqWkhrdnBrQVRsb0lyS0tXU3JjNWRrVHVWTVBXRnYvUGRDOFoxNXRICjl5a3crSWQybDdsaUpwMWJLRS9rVlBQWEFyelZBWnZiaWVUZmN0aEVmckR5aUt0Y2dQWnNxdkJ2UjlBTDYrUUoKUGllQ0toUEtDRVNDUnVUbDA4U3BXdXhMaVhXY3NLc095WFFlL3dJREFRQUJvQUF3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFFWWJPcTFrdHlobGdMRWc0Ukd6cFRWZUJQVWZ3Q1VacnpHU2pjcGhsNWIrb0FaNVV0czBaS1hpClE1KzdpaUdnUng3Rm5sb2FwL0g1ck91Z2tjd2JmSU5kc3JWT2crOVJJc1JCK1N3QTZBRmhTcnBVNndDT2JDOUQKMlBYVlpnZmlyS1BXcy9EK01nNnFXdmNscVpiVDg0WmJUaGUzWnB2OFFyNDdNVklwbVdPWld6dnJ3bWNKZDFnQgp2L29iMUJ0Zm9JSUc4OFpkS2N0dGh6MXhmREFSRFFSWWhxaEtkVUV2TUNBUC9mcmRoQXkvUEsrdG9RUnR6a05MCi8wRjFTNUFCR0dSTTdNSXN6OEMydUg5cGxIS3RWS0xYZWxLWnZCUVZJU0Z5MGt5R21Ia3VMWWp5UXB6WVVYNlcKbjlFY2tBUVpPQ0dhVG5XWlRCRjVVTnBxcTVXelRBcz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
usages:
- client auth

查看证书申请

1
2
3
[root@node001 aa]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
ren 25s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Pending

审批

1
kubectl certificate approve ren

查看csr

1
kubectl get csr ren -o yaml

生成证书文件

1
echo LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR5Z0F3SUJBZ0lSQUs1bHdyVmUxZ1pocGp2SEZlaURvYUl3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBNU1UUXdOalU1TURGYUZ3MHlNekE1TVRRdwpOalU1TURGYU1BNHhEREFLQmdOVkJBTVRBM0psYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDCkFRb0NnZ0VCQUsyWFc5NTQzaFl1ZGtLUDhqTDY3MlFCTmYrbVlrZXRycTVCUkZtVTdsSkpVc2RzcUZXT1p1ZUMKTmxqWDF6TWw5ZFl5NGptSDQ0WXNBNUdWb0pnMmdBT2tmWUtqUE9kWFpmQ2htTFpMb3BsV3FPbXRhdDdUYUxxOQpLTG5qRFkwR0lCZi9TakRITzVVY1pndXhrNGlJU2JTVk5HNTRPNEVSZzBaa2RPaHpLOXdkTVBHVlRZU0ZmazNzCmtOdkZTSVVhWjFlOVlWTm5PWTJSNUw2WkFFNWFDS3lpbGtxM09YWkU3bFREMWhiL3ozUXZHZGViUi9jcE1QaUgKZHBlNVlpYWRXeWhQNUZUejF3SzgxUUdiMjRuazMzTFlSSDZ3OG9pclhJRDJiS3J3YjBmUUMrdmtDVDRuZ2lvVAp5Z2hFZ2tiazVkUEVxVnJzUzRsMW5MQ3JEc2wwSHY4Q0F3RUFBYU5HTUVRd0V3WURWUjBsQkF3d0NnWUlLd1lCCkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlRtZ2dsVFhOU1NFczNJU2xscHYxUkMKQ21tb0JqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFGZ3pxZ0piRzVUMDJFdXpNbnBDV0tTclJNaTdXRUxiRQoxYU5IV3RQaTZpTmQyWjk5TlVweW1uUUlIVXBNTnp6ck9UeXpkSTdRRE5sVUdFUFVRS0d0eGUwUjNYbkpoaXdZCklOY1Bzc240dGtqNWk5S0E4d2t3R1NwcEpROG5vT1lPWUZFRUtjZWNMOFE4N0RPRWNhWllSeW41RlZxZWNKTUkKZXZ2QThQdGp0M09RUEw3SjhiUkczeTRqYXV1NkZ3bE43U2paOGRxNlAvcWY4OWx3SkZ1dkdjVTBlNHdxWTBkQwp3Ym1peDNEYlkwSlIwVDk0eTg0RVZzeTFrOVF1MnhYU2R3Q3YyK09KdlBEa0d0V1NiU3VBRFBlLzZWWkg1Q2dICmVuNml3cDNFenFET0VXVG9sYUhwMis2R0dLcVlMQVNQRnBnUTg0RmQvSkt2UjE3ckNoKzlzUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K|base64 -d > ren.crt

生成kubeconfig

1
2
3
kubectl config --kubeconfig=kc1 set-cluster cluster1 --server=https://192.168.10.31:6443 --certificate-authority=ca.crt --embed-certs=true
kubectl config --kubeconfig=kc1 set-credentials ren --client-certificate=ren.crt --client-key=ren.key --embed-certs=true
kubectl config --kubeconfig=kc1 set-context context1 --cluster=cluster1 --namespace=default --user=ren

使用kubeconfig

1
2
kubectl --kubeconfig kc1 get pod
Error from server (Forbidden): pods is forbidden: User "ren" cannot list resource "pods" in API group "" in the namespace "default"

2. 授权

2.1 了解授权

- --authorization-mode=Node,RBAC
- --authorization-mode=AlwaysAllow #允许所有请求
- --authorization-mode=AlwaysDeny #拒绝所有请求
- --authorization-mode=ABAC
Attribute-Based Access Control 不够灵活放弃

- --authorization-mode=RBAC
Role Based Access Control - --authorization-mode=Node
Node授权器主要用于各个node上的kubelet访问apiserver时使用的,其他一般均由RBAC授权器来授权

2.2 role管理

创建role1

1
kubectl create role role1 --verb get,list --resource=pod,svc

查看role1

1
2
3
4
5
6
7
8
9
[root@node001 aa]# kubectl describe role role1 
Name: role1
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list]
services [] [] [get list]

生成yaml

1
kubectl create role role1 --verb get,list --resource=pod,svc --dry-run=client -o yaml > role1.yaml

根据需求修改权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: role1
rules:
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- get
- list
- create
- delete
- apiGroups:
- "apps"
resources:
- deployments
- deployments/scale
verbs:
- get
- list
- create
- patch

2.3 创建rolebinding

1
kubectl create rolebinding rbind1 --role role1 --user ren

查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@node001 aa]# kubectl get rolebindings.rbac.authorization.k8s.io rbind1 -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2022-09-14T10:04:28Z"
name: rbind1
namespace: chap12-safe
resourceVersion: "674021"
uid: 92aa36a2-f558-4e63-a738-c787acf236b8
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: role1
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: ren

2.4 验证

1
2
3
4
5
[root@node001 aa]# kubectl --kubeconfig kc1 get pod
No resources found in chap12-safe namespace.

[root@node003 ~]# kubectl -s https://172.17.203.55:6443 --insecure-skip-tls-verify=true --token="d4cd5cf1f44fc9232f4c" -n chap12-safe get pod
No resources found in chap12-safe namespace.

3. serviceaccount

k8s集群有两种账户

user account 用户账户 —用于登录kubernetes
service account 服务账户 —主要用于对pod里的进程进行授权

pod都要以某个sa账号运行,默认使用default这个sa,每个ns里都会自动创建一个default

1.20(含)之前的版本
每创建一个sa,都会生成一个secret,这个secret里包含了一个token,在pod里加载这个token

1.21~1.23之间的版本
每创建一个sa,都会生成一个secret,这个secret里包含一个token,在pod里并不使用这个token,而是由kubelet去申请

1.24开始
每创建一个sa,不会再生成secret,再pod里会由kubelet去申请

3.1 创建sa账号

1
kubectl create sa sa1

3.2 绑定管理员

1
kubectl create clusterrolebinding sabind1 --clusterrole cluster-admin --serviceaccount chap12-safe:sa1

3.3 创建secret

[root@node001 aa]# cat sa1-secret.yaml

1
2
3
4
5
6
7
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: sa1
annotations:
kubernetes.io/service-account.name: "sa1"

3.4 获取token

1
kubectl get secrets sa1 -o jsonpath={.data.token}|base64 -d

###3.5 登录dashboard
使用token登录dashboard