k8s-apiServer认证
Posted DevOperaterVita
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了k8s-apiServer认证相关的知识,希望对你有一定的参考价值。
1.apiServer介绍
1.1apiServer介绍
kube-apiserver是k8s核心组件之一,主要提供以下功能:
1.提供集群管理的REST API接口,包括认证、授权、数据校验及集群状态变更。
2.提供与其他模块之间的数据交互和通信。
其他模块通过api server查询或修改数据,只有api server才能直接操作etcd
1.2访问控制流程
k8s API的每个请求都会经过多阶段的访问控制后才能进行相应的逻辑处理,这些访问控制包含 认证、授权、准入控制(admission webhook)。
Authentication Authorization:认证、鉴权逻辑
Mutating admission:是一个webhook,可以在用户apply yaml后,通过逻辑处理来修改用户的yaml,设置一些默认值。
istio会为每个pod注入一个sideCar就是因为 mutate webhook在用户的yaml中新增了一个container配置。
Object Schema Validation:k8s自带的yaml字段校验逻辑
Validating admission:是一个webhook,用于校验yaml中的内容,多用于自定义资源的yaml的校验。
1.3访问控制细节
authentication:认证
audit:审计日志,记录哪个用户做了哪些操作
impersonation:伪装成其他用户,据说rancher使用了该功能
max-in-flight:api-server可以并发处理的请求数
authorization:鉴权
kube-aggregator:keda这个项目就使用了api-server的aggregate功能,使得部分到达api-server的请求,可以到达我们写的逻辑中。
2.认证插件-静态token文件
2.1介绍
使用静态Token文件认证只需要API Server启动时配置--token-auth-file=tokenFile
该文件为csv格式,每行至少包括三列token,username,user id,
token,user,uid,"group1,group2,group3”
2.2操作示例
1.准备token文件
token为cncamp-token
user为cncamp
mkdir -p /etc/kubernetes/auth
cp static-token /etc/kubernetes/auth
root@ubuntu-focal:/etc/kubernetes/auth# cat static-token
cncamp-token,cncamp,1000,"group1,group2,group3"
2.备份api-server.yaml
root@ubuntu-focal:/etc/kubernetes/auth# cd /etc/kubernetes/manifests/
root@ubuntu-focal:/etc/kubernetes/manifests# ll
total 32
drwxr-xr-x 2 root root 4096 Jan 29 12:57 ./
drwxr-xr-x 5 root root 4096 Jan 29 12:50 ../
-rw------- 1 root root 2232 Jan 29 12:13 etcd.yaml
-rw------- 1 root root 4256 Jan 29 12:57 kube-apiserver.yaml
-rw------- 1 root root 4018 Jan 29 12:51 kube-apiserverbak.yaml
-rw------- 1 root root 3560 Jan 29 12:13 kube-controller-manager.yaml
-rw------- 1 root root 1479 Jan 29 12:13 kube-scheduler.yaml
root@ubuntu-focal:/etc/kubernetes/manifests# cp kube-apiserver.yaml kube-apiserverbak.yam
3.修改apiserver yaml
修改的地方有如下几处
--token-auth-file=/etc/kubernetes/auth/static-token
mountPath/etc/kubernetes/auth
nameauth-files
readOnlytrue
hostPath
path/etc/kubernetes/auth
typeDirectoryOrCreate
nameauth-files
修改后的yaml如下
apiVersionv1
kindPod
metadata
annotations
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint10.0.2.156443
creationTimestampnull
labels
componentkube-apiserver
tiercontrol-plane
namekube-apiserver
namespacekube-system
spec
containers
command
kube-apiserver
--advertise-address=10.0.2.15
--allow-privileged=true
--authorization-mode=Node,RBAC
--client-ca-file=/etc/kubernetes/pki/ca.crt
--enable-admission-plugins=NodeRestriction
--enable-bootstrap-token-auth=true
--etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
--etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
--etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
--etcd-servers=https://127.0.0.1:2379
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
--kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
--proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
--proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
--requestheader-allowed-names=front-proxy-client
--requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
--requestheader-extra-headers-prefix=X-Remote-Extra-
--requestheader-group-headers=X-Remote-Group
--requestheader-username-headers=X-Remote-User
--secure-port=6443
--service-account-issuer=https://kubernetes.default.svc.cluster.local
--service-account-key-file=/etc/kubernetes/pki/sa.pub
--service-account-signing-key-file=/etc/kubernetes/pki/sa.key
--service-cluster-ip-range=10.96.0.0/12
--tls-cert-file=/etc/kubernetes/pki/apiserver.crt
--tls-private-key-file=/etc/kubernetes/pki/apiserver.key
--token-auth-file=/etc/kubernetes/auth/static-token
imageregistry.aliyuncs.com/google_containers/kube-apiserverv1.22.2
imagePullPolicyIfNotPresent
livenessProbe
failureThreshold8
httpGet
host10.0.2.15
path/livez
port6443
schemeHTTPS
initialDelaySeconds10
periodSeconds10
timeoutSeconds15
namekube-apiserver
readinessProbe
failureThreshold3
httpGet
host10.0.2.15
path/readyz
port6443
schemeHTTPS
periodSeconds1
timeoutSeconds15
resources
requests
cpu250m
startupProbe
failureThreshold24
httpGet
host10.0.2.15
path/livez
port6443
schemeHTTPS
initialDelaySeconds10
periodSeconds10
timeoutSeconds15
volumeMounts
mountPath/etc/ssl/certs
nameca-certs
readOnlytrue
mountPath/etc/ca-certificates
nameetc-ca-certificates
readOnlytrue
mountPath/etc/pki
nameetc-pki
readOnlytrue
mountPath/etc/kubernetes/pki
namek8s-certs
readOnlytrue
mountPath/usr/local/share/ca-certificates
nameusr-local-share-ca-certificates
readOnlytrue
mountPath/usr/share/ca-certificates
nameusr-share-ca-certificates
readOnlytrue
mountPath/etc/kubernetes/auth
nameauth-files
readOnlytrue
hostNetworktrue
priorityClassNamesystem-node-critical
securityContext
seccompProfile
typeRuntimeDefault
volumes
hostPath
path/etc/ssl/certs
typeDirectoryOrCreate
nameca-certs
hostPath
path/etc/ca-certificates
typeDirectoryOrCreate
name