Kubernetes集群安全配置
Posted WaltonWang
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Kubernetes集群安全配置相关的知识,希望对你有一定的参考价值。
更多关于kubernetes的深入文章,请看我csdn或者oschina的博客主页。
这两天在梳理Kubernetes集群的安全配置,涉及到各个组件的配置,最终决定画一个图来展现,应该会更清晰。
涉及以下配置:
其他各个组件作为client,访问kube-apiserver时,各个组件的配置,参考图中黑色线条对应的配置:
kube-apiserver
--secure-port=443 --client_ca_file=/var/run/kubernetes/dd_ca.crt --tls-private-key-file=/var/run/kubernetes/dd_server.key
kube-controller-manager
``` --kubeconfig=/etc/kubernetes/cmkubeconfig apiVersion: v1 kind: Config users - name: controllermanager user: client-certificate: /var/run/kubernetes/dd_cs_client.crt client-key: /var/run/kubernetes/dd_cs_client.key clusters: - name: local cluster: certificate-authority: /var/run/kubernetes/dd_ca.crt contexts: - context: cluster: local user: controllermanager name: my-context current-context: my-context ```
kube-scheduler
kube-scheduler访问apiserver的安全配置同kube-controller-manager。kubelet
--kubeconfig=/var/lib/kubelet/kubeconfig apiVersion: v1 kind: Config users: - name: kubelet user: client-certificats: /home/dd_kubelet_client.crt client-key: /home/dd_kubelet_client.key clusters: - name: local cluster: certificate-authority: /home/dd_ca.crt contexts: - context: cluster: local user: kubelet name: my-context current-context: my-context
kube-proxy
--kubeconfig=/var/lib/kubeproxy/proxykubeconfig apiVersion: v1 kind: Config users: - name: kubeproxy user: client-certificate: /home/dd_kubelet_client.crt client-key: /home/dd_kubelet_client.key clusters: - name: local cluster: certificate-authority: /home/dd_ca.crt contexts: - context: cluster: local user: kubeproxy name: my-context current-context: my-context
kube-apiserver作为client,访问kubelet server时的配置,参考图中绿色线条对应的配置:
kube-apiserver
--kubelet-https --kubelet-certificate-authority=/var/run/kubelet/kubelet-ca.crt --kubelet-client-certificate=/var/run/kubelet/apiserver-kubelet.crt --kubelet-client-key=/var/run/kubelet/apiserver-kubelet.key
kubelet
--client-ca-file=/var/run/kubelet/kubelet_ca.crt --tls-private-key-file=/var/run/kubelet/server.key --tls-cert-file string=/var/run/kubelet/server.crt
Pod访问kube-apiserver,是通过ServiceAccount来提供Token的, 涉及的配置见粉红色线条对应的内容。
- Pod.Spec
每个namespace都有一个
default
ServiceAccount。如果Pod.Spec.serivceAccountName未设置,这默认用default
ServiceAccount。上图中的配置中,给Pod指明了一个自定义的Pod.Spec.serivceAccountName:build-rebot
,automountServiceAccountToken: true
表示自动将该ServiceAccount中的Secret定义的token,ca.crt,namespace挂载到Pod每个container内的以下对应目录:ServiceAccount Admission Make Sure Secret Volume Mounted: /var/run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /var/run/secrets/kubernetes.io/serviceaccount/namespace
kube-controller-manager
--root-ca-file=/var/run/kubernetes/dd_ca.crt --service-account-private-key-file=/var/run/kubernetes/dd_server.key
这样Pod内的应用就能通过以下两种方式访问apiserver了:
- 添加kubectl proxy container,示例见kubectl-container
- use the Go client library, and create a client using the rest.InClusterConfig() and kubernetes.NewForConfig() functions. They handle locating and authenticating to the apiserver. example
kube-apiserver作为client,通过TLS访问etcd对应的配置见图中蓝色线条对应的内容。
kube-apiserver
--etcd-cafile=/var/run/etcd/etcd-ca.crt --etcd-certfile=/var/run/etcd/apiserver-etcd.crt --etcd-keyfile=/var/run/etcd/apiserver-etcd.key
etcd
--client-cert-auth --trusted-ca-file=/etc/ssl/etcd/etcd-ca.crt --cert-file=/etc/ssl/etcd/server.crt --key-file=/etc/ssl/etcd/server.key
apiserver的Authentication Config:
kube-apiserver
以下三个flag,分别表示enable apiserver的x509 client certs, static token, static password三种认证方式。--client-ca-file=/var/run/kubernetes/dd_ca.crt --token-auth-file=SOMEFILE --basic-auth-file=SOMEFILE
其中
token-auth-file
对应文件内容格式为:token1,user1,uid1,”group1,group2,group3" token2,user2,uid2,”group1,group2"
basic-auth-file
对应文件内容格式为:password1,user1,uid1,”group1,group2,group3" password2,user2,uid2,”group1,group2,group3"
apiserver的Authorization Config:
kube-apiserver
当前我们的环境中,使用默认值AlwaysAllow
,如果有需要,后续会考虑enableRBAC
。--authorization-mode=AlwaysAllow
apiserver的Admission Control Config:
kube-apiserver
使用官方推荐的,v1.6+之后的配置为:--admission-control=NamespaceLifecycle, LimitRanger, ServiceAccount, PersistentVolumeLabel, DefaultStorageClass, ResourceQuota, DefaultTolerationSeconds
更多关于kubernetes的深入文章,请看我csdn或者oschina的博客主页。
以上是关于Kubernetes集群安全配置的主要内容,如果未能解决你的问题,请参考以下文章