k8s-apiServer认证

Posted DevOperaterVita

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了k8s-apiServer认证相关的知识,希望对你有一定的参考价值。

1.apiServer介绍

1.1apiServer介绍

kube-apiserver是k8s核心组件之一,主要提供以下功能:

1.提供集群管理的REST API接口,包括认证、授权、数据校验及集群状态变更。

2.提供与其他模块之间的数据交互和通信。

其他模块通过api server查询或修改数据,只有api server才能直接操作etcd

1.2访问控制流程

k8s API的每个请求都会经过多阶段的访问控制后才能进行相应的逻辑处理,这些访问控制包含 认证、授权、准入控制(admission webhook)

k8s-apiServer认证_认证

Authentication Authorization:认证、鉴权逻辑

Mutating admission:是一个webhook,可以在用户apply yaml后,通过逻辑处理来修改用户的yaml,设置一些默认值。

istio会为每个pod注入一个sideCar就是因为 mutate webhook在用户的yaml中新增了一个container配置。

Object Schema Validation:k8s自带的yaml字段校验逻辑

Validating admission:是一个webhook,用于校验yaml中的内容,多用于自定义资源的yaml的校验。

1.3访问控制细节

k8s-apiServer认证_x509_02

authentication:认证

audit:审计日志,记录哪个用户做了哪些操作

impersonation:伪装成其他用户,据说rancher使用了该功能

max-in-flight:api-server可以并发处理的请求数

authorization:鉴权

kube-aggregator:keda这个项目就使用了api-server的aggregate功能,使得部分到达api-server的请求,可以到达我们写的逻辑中。

2.认证插件-静态token文件

2.1介绍

使用静态Token文件认证只需要API Server启动时配置--token-auth-file=tokenFile

该文件为csv格式,每行至少包括三列token,username,user id,

token,user,uid,"group1,group2,group3”

2.2操作示例

1.准备token文件

token为cncamp-token

user为cncamp

mkdir -p /etc/kubernetes/auth
cp static-token /etc/kubernetes/auth
root@ubuntu-focal:/etc/kubernetes/auth# cat static-token
cncamp-token,cncamp,1000,"group1,group2,group3"

2.备份api-server.yaml

root@ubuntu-focal:/etc/kubernetes/auth# cd /etc/kubernetes/manifests/
root@ubuntu-focal:/etc/kubernetes/manifests# ll
total 32
drwxr-xr-x 2 root root 4096 Jan 29 12:57 ./
drwxr-xr-x 5 root root 4096 Jan 29 12:50 ../
-rw------- 1 root root 2232 Jan 29 12:13 etcd.yaml
-rw------- 1 root root 4256 Jan 29 12:57 kube-apiserver.yaml
-rw------- 1 root root 4018 Jan 29 12:51 kube-apiserverbak.yaml
-rw------- 1 root root 3560 Jan 29 12:13 kube-controller-manager.yaml
-rw------- 1 root root 1479 Jan 29 12:13 kube-scheduler.yaml
root@ubuntu-focal:/etc/kubernetes/manifests# cp kube-apiserver.yaml kube-apiserverbak.yam

3.修改apiserver yaml

修改的地方有如下几处

- --token-auth-file=/etc/kubernetes/auth/static-token


- mountPath: /etc/kubernetes/auth
name: auth-files
readOnly: true

- hostPath:
path: /etc/kubernetes/auth
type: DirectoryOrCreate
name: auth-files

修改后的yaml如下

apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.2.15:6443
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.0.2.15
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
- --token-auth-file=/etc/kubernetes/auth/static-token
image: registry.aliyuncs.com/google_containers/kube-apiserver:v1.22.2
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
host: 10.0.2.15
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
name: kube-apiserver
readinessProbe:
failureThreshold: 3
httpGet:
host: 10.0.2.15
path: /readyz
port: 6443
scheme: HTTPS
periodSeconds: 1
timeoutSeconds: 15
resources:
requests:
cpu: 250m
startupProbe:
failureThreshold: 24
httpGet:
host: 10.0.2.15
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
volumeMounts:
- mountPath: /etc/ssl/certs
name: ca-certs
readOnly: true
- mountPath: /etc/ca-certificates
name: etc-ca-certificates
readOnly: true
- mountPath: /etc/pki
name: etc-pki
readOnly: true
- mountPath: /etc/kubernetes/pki
name: k8s-certs
readOnly: true
- mountPath: /usr/local/share/ca-certificates
name: usr-local-share-ca-certificates
readOnly: true
- mountPath: /usr/share/ca-certificates
name: usr-share-ca-certificates
readOnly: true
- mountPath: /etc/kubernetes/auth
name: auth-files
readOnly: true
hostNetwork: true
priorityClassName: system-node-critical
securityContext:
seccompProfile:
type: RuntimeDefault
volumes:
- hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
name: ca-certs
- hostPath:
path: /etc/ca-certificates
type: DirectoryOrCreate
namek8s-apiServer鉴权

k8s-apiServer 准入控制插件(webhook)

Internet Explorer(IE11)无法打开基本认证窗口。

微服务架构认证鉴权方案

API安全-认证

*5 用户管理命令组管理命令用户认证命令与其他命令的使用