Kubernetes集群安全配置

Posted WaltonWang

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Kubernetes集群安全配置相关的知识,希望对你有一定的参考价值。

更多关于kubernetes的深入文章,请看我csdn或者oschina的博客主页。

这两天在梳理Kubernetes集群的安全配置,涉及到各个组件的配置,最终决定画一个图来展现,应该会更清晰。

涉及以下配置:

  1. 其他各个组件作为client,访问kube-apiserver时,各个组件的配置,参考图中黑色线条对应的配置:

    • kube-apiserver

      --secure-port=443 
      --client_ca_file=/var/run/kubernetes/dd_ca.crt 
      --tls-private-key-file=/var/run/kubernetes/dd_server.key 
    • kube-controller-manager

      ```
      --kubeconfig=/etc/kubernetes/cmkubeconfig
      
      apiVersion: v1
      kind: Config
      users
      - name: controllermanager
        user:
          client-certificate: /var/run/kubernetes/dd_cs_client.crt
          client-key: /var/run/kubernetes/dd_cs_client.key
      clusters:
      - name: local
        cluster:
          certificate-authority: /var/run/kubernetes/dd_ca.crt
      contexts:
      - context:
          cluster: local
          user: controllermanager
        name: my-context
      current-context: my-context
      ```
      
    • kube-scheduler
      kube-scheduler访问apiserver的安全配置同kube-controller-manager。

    • kubelet

      --kubeconfig=/var/lib/kubelet/kubeconfig
      
      apiVersion: v1
      kind: Config
      users:
      - name: kubelet
        user:
          client-certificats: /home/dd_kubelet_client.crt
          client-key: /home/dd_kubelet_client.key
      clusters:
      - name: local
        cluster:
          certificate-authority: /home/dd_ca.crt
      contexts:
      - context:
          cluster: local
          user: kubelet
        name: my-context
      current-context: my-context
      
    • kube-proxy

      --kubeconfig=/var/lib/kubeproxy/proxykubeconfig 
      
      apiVersion: v1
      kind: Config
      users:
      - name: kubeproxy
        user:
          client-certificate: /home/dd_kubelet_client.crt
          client-key: /home/dd_kubelet_client.key
      clusters:
      - name: local
        cluster:
          certificate-authority: /home/dd_ca.crt
      contexts:
      - context:
          cluster: local
          user: kubeproxy
        name: my-context
      current-context: my-context
  2. kube-apiserver作为client,访问kubelet server时的配置,参考图中绿色线条对应的配置:

    • kube-apiserver

      --kubelet-https
      --kubelet-certificate-authority=/var/run/kubelet/kubelet-ca.crt  
      --kubelet-client-certificate=/var/run/kubelet/apiserver-kubelet.crt
      --kubelet-client-key=/var/run/kubelet/apiserver-kubelet.key
    • kubelet

      --client-ca-file=/var/run/kubelet/kubelet_ca.crt
      --tls-private-key-file=/var/run/kubelet/server.key
      --tls-cert-file string=/var/run/kubelet/server.crt
  3. Pod访问kube-apiserver,是通过ServiceAccount来提供Token的, 涉及的配置见粉红色线条对应的内容。

    • Pod.Spec

    每个namespace都有一个default ServiceAccount。如果Pod.Spec.serivceAccountName未设置,这默认用default ServiceAccount。上图中的配置中,给Pod指明了一个自定义的Pod.Spec.serivceAccountName:build-rebotautomountServiceAccountToken: true表示自动将该ServiceAccount中的Secret定义的token,ca.crt,namespace挂载到Pod每个container内的以下对应目录:

    ServiceAccount Admission Make Sure Secret Volume Mounted:
    /var/run/secrets/kubernetes.io/serviceaccount/token
    /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
    /var/run/secrets/kubernetes.io/serviceaccount/namespace
    • kube-controller-manager

      --root-ca-file=/var/run/kubernetes/dd_ca.crt 
      --service-account-private-key-file=/var/run/kubernetes/dd_server.key

    这样Pod内的应用就能通过以下两种方式访问apiserver了:

    • 添加kubectl proxy container,示例见kubectl-container
    • use the Go client library, and create a client using the rest.InClusterConfig() and kubernetes.NewForConfig() functions. They handle locating and authenticating to the apiserver. example
  4. kube-apiserver作为client,通过TLS访问etcd对应的配置见图中蓝色线条对应的内容。

    • kube-apiserver

      --etcd-cafile=/var/run/etcd/etcd-ca.crt  
      --etcd-certfile=/var/run/etcd/apiserver-etcd.crt
      --etcd-keyfile=/var/run/etcd/apiserver-etcd.key
      
    • etcd

      --client-cert-auth 
      --trusted-ca-file=/etc/ssl/etcd/etcd-ca.crt 
      --cert-file=/etc/ssl/etcd/server.crt 
      --key-file=/etc/ssl/etcd/server.key
  5. apiserver的Authentication Config:

    • kube-apiserver
      以下三个flag,分别表示enable apiserver的x509 client certs, static token, static password三种认证方式。

      --client-ca-file=/var/run/kubernetes/dd_ca.crt    
      --token-auth-file=SOMEFILE  
      --basic-auth-file=SOMEFILE  

      其中token-auth-file对应文件内容格式为:

      token1,user1,uid1,”group1,group2,group3"
      token2,user2,uid2,”group1,group2"

      basic-auth-file对应文件内容格式为:

      password1,user1,uid1,”group1,group2,group3"
      password2,user2,uid2,”group1,group2,group3"
  6. apiserver的Authorization Config:

    • kube-apiserver
      当前我们的环境中,使用默认值AlwaysAllow,如果有需要,后续会考虑enable RBAC

      --authorization-mode=AlwaysAllow
  7. apiserver的Admission Control Config:

    • kube-apiserver
      使用官方推荐的,v1.6+之后的配置为:

      --admission-control=NamespaceLifecycle,
      LimitRanger,
      ServiceAccount,
      PersistentVolumeLabel,
      DefaultStorageClass,
      ResourceQuota,
      DefaultTolerationSeconds

更多关于kubernetes的深入文章,请看我csdn或者oschina的博客主页。

以上是关于Kubernetes集群安全配置的主要内容,如果未能解决你的问题,请参考以下文章

Kubernetes——安全认证

不遵循这11条建议,小心你的Kubernetes集群安全!

Kubernetes Pod 安全策略(PSP)配置

左移测试在Kubernetes中的应用

Kubernetes集群RBAC资源安全框架(三十九)

“生产就绪”对于Kubernetes集群意味什么?