[toc]
kubernetes 操作记录四
kubernetes认证及Service Account
在master服务器上启动 proxy 并监听至8080
# kubectl proxy --port=8080 & # curl http://localhost:8080/api/v1/namespaces
仅有权限获取当前Pod自身的相关信息
# kubectl get secret -n ingress-nginx NAME TYPE DATA AGE default-token-t54dl kubernetes.io/service-account-token 3 5d23h nginx-ingress-serviceaccount-token-5dwv4 kubernetes.io/service-account-token 3 5d23h
生成yaml框架,快速编写清单
# kubectl create serviceaccount mysa -o yaml --dry-run apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: null name: mysa # kubectl get pods myapp-deploy-675558bfc5-2rfrs -o yaml --export
# kubectl create serviceaccount admin # kubectl describe sa admin Name: admin Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: admin-token-hxqqf Tokens: admin-token-hxqqf Events: <none> # kubectl get secret NAME TYPE DATA AGE admin-token-hxqqf kubernetes.io/service-account-token 3 66s default-token-2sgn5 kubernetes.io/service-account-token 3 26d mysql-root-password Opaque 1 45h tomcat-ingress-secret kubernetes.io/tls 2 5d22h
# vim pod-sa-demo.yaml apiVersion: v1 kind: Pod metadata: name: pod-sa-demo namespace: default labels: app: myapp tier: frontend annotations: ssjinyao.com/create-by: "cluster admin" spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 serviceAccountName: admin # kubectl apply -f pod-sa-demo.yaml # kubectl describe pods pod-sa-demo | grep 'SecretName' SecretName: admin-token-hxqqf
kubernetes 集群有两类认证时的用户账号
useraccount,我们称之为用户账号,通常定义的是人使用的账号
servicecacount, 服务账号,指pod中应用的应用程序运行在kubernetes ,想访问apiserver时用的认证信息,包括用户名密码等等;
# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://10.1.87.80:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED
/etc/kubernetes/pki # (umask 077; openssl genrsa -out ssjinyao.key 2048) # openssl req -new -key ssjinyao.key -out ssjinyao.csr -subj "/CN=ssjinyao" # openssl x509 -req -in ssjinyao.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ssjinyao.crt -days 36500 Signature ok subject=/CN=ssjinyao Getting CA Private Key # openssl x509 -in ssjinyao.crt -text -noout Certificate: Data: Version: 1 (0x0) Serial Number: f3:fe:ff:e5:0e:0b:37:e2 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=kubernetes Validity Not Before: May 22 07:57:01 2019 GMT Not After : Apr 28 07:57:01 2119 GMT Subject: CN=ssjinyao Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit)
接下来把用户账号信息添加到连接kubernetes 的配置信息
# kubectl config set-credentials ssjinyao --client-certificate=./ssjinyao.crt --client-key=./ssjinyao.key --embed-certs=true User "ssjinyao" set. # kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://10.1.87.80:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED - name: ssjinyao user: client-certificate: /etc/kubernetes/pki/ssjinyao.crt client-key: /etc/kubernetes/pki/ssjinyao.key # kubectl config set-context ssjinyao@kubernetes --cluster=kueberntes --user=ssjinyao Context "ssjinyao@kubernetes" created. # kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://10.1.87.80:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes - context: cluster: kueberntes user: ssjinyao name: ssjinyao@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED - name: ssjinyao user: client-certificate: /etc/kubernetes/pki/ssjinyao.crt client-key: /etc/kubernetes/pki/ssjinyao.key
这时候多了一个context, 可切换用户
# kubectl config use-context ssjinyao@kubernetes Switched to context "ssjinyao@kubernetes".
# kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://10.1.87.80:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true Cluster "mycluster" set. # kubectl config view --kubeconfig=/tmp/test.conf apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://10.1.87.80:6443 name: mycluster contexts: [] current-context: "" kind: Config preferences: {} users: []
RBAC
授权插件: Node, ABAC,RBAC,Webhook(基于http的回调来实现)
RBAC: Role-based AC
角色 (role)
许可 (permission)
role: operations,objects
rolebinding: user account OR service account , role
clusterrole: clusterrolebinding
操作: GET HEAD PUT PUST PATCH DELETE
role binding定义
# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-demo.yaml # vim role-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: null name: pods-reader namespace: default rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch # kubectl apply -f role-demo.yaml # kubectl describe role pods-reader Name: pods-reader Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"creationTimestamp":null,"name":"pods-reader","nam... PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [] [get list watch] # kubectl create rolebinding ssjinyao-read-pods --role=pods-reader --user=ssjinyao --dry-run -o yaml > rolebinding-demo.yaml # vim rolebinding-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: null name: ssjinyao-read-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pods-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: ssjinyao
clusterrole binding 定义
# useradd ik8s # cp -a .kube/ /home/ik8s/ # chown -R ik8s.ik8s /home/ik8s/ #
# kubectl config use-context kubernetes-admin@kubernetes # kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run > clusterrole-demo.yaml # vim clusterrole-demo.yaml kind: ClusterRole metadata: name: cluster-reader rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch # kubectl apply -f clusterrole-demo.yaml clusterrole.rbac.authorization.k8s.io/cluster-reader created # kubectl create clusterrolebinding ssjinyao-read-all-pods --clusterrole=cluster-reader --user=ssjinyao --dry-run -o yaml > clusterrolebind-demo.yaml
cluster-role 被 rolebinding 会使的cluster 被降级
# kubectl create rolebinding ssjinyao-read-pods --clusterrole=cluster-reader --user=ssjinayo --dry-run -o yaml > rolebinding-clusterrole-demo.yaml
查看系统默认的授权
引用授权
# kubectl get clusterrole admin -o yaml # kubectl create rolebinding default-ns-admin --clusterrole=admin --user=ssjinyao rolebinding.rbac.authorization.k8s.io/default-ns-admin created
dashboard 及认证分级授权
部署 dashboard
# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
部署时下载镜像出错
# kubectl describe pods -n kube-system kubernetes-dashboard-5f7b999d65-jpmhs Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 113s default-scheduler Successfully assigned kube-system/kubernetes-dashboard-5f7b999d65-jpmhs to node01 Warning Failed 53s (x3 over 105s) kubelet, node01 Failed to pull image "k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1": rpc error: code = Unknown desc = Error response from daemon: Get https://k8s.gcr.io/v2/: dial tcp 74.125.203.82:443: connect: connection timed out Warning Failed 53s (x3 over 105s) kubelet, node01 Error: ErrImagePull Normal BackOff 15s (x5 over 105s) kubelet, node01 Back-off pulling image "k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1" Warning Failed 15s (x5 over 105s) kubelet, node01 Error: ImagePullBackOff Normal Pulling 2s (x4 over 112s) kubelet, 01 Pulling image "k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1"
用手动下载的方法进行解决
# vim docker_install_dashboard.sh #!/bin/sh docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 docker tag mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 docker rmi mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 # sh docker_install_dashboard.sh
然后再执行以下部署清单
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml # kubectl get pods -n kube-system | grep dash kubernetes-dashboard-5f7b999d65-fcb28 1/1 Running 0 71s
可以看到kubernetes-dashbroad 已经运行
默认服务暴露为ClusterIP类型的,我们需要将其改为NodePort 类型
# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system # kubectl get svc -n kube-system \NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 27d kubernetes-dashboard NodePort 10.109.190.204 <none> 443:31984/TCP 3m41s
这个时候可以看到登录界面
使用用token实现认证登录
这里登录需要的是serviceaccount用户, 所以这里创建 serviceaccount
# kubectl create serviceaccount dashboard-admin -n kube-system serviceaccount/dashboard-admin created # kubectl get sa -n kube-system | grep dash dashboard-admin 1 6m33s
serviceaccount 创建好后, 需要将serviceaccount绑定cluster这个角色上
# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created # kubectl get secret -n kube-system | grep dash dashboard-admin-token-grj84 kubernetes.io/service-account-token 3 5m46s
绑定好 cluster 后, 查看token信息,并拿token进行登录
# kubectl describe secret -n kube-system dashboard-admin-token-grj84
登录后,可以看到整个kubernetes集群的概况
建立专用dashborad用户
# cd /etc/kubernetes/pki/ # (umask 077; openssl genrsa -out dashboard.key 2048) # openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=ssjinyao/CN=dashboard" # openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 3650 Signature ok subject=/O=ssjinyao/CN=dashboard Getting CA Private Key # kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=./dashboard.crt --from-file=dashboard.key=./dashboard.key secret/dashboard-cert created
# kubectl create serviceaccount def-ns-admin -n default serviceaccount/def-ns-admin created
role binding 到 default 名称空间,只允许访问default 名称空间
# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin rolebinding.rbac.authorization.k8s.io/def-ns-admin created # kubectl describe secret admin-token-hxqqf # 查看 token信息登录
接下来配置kube config 文件认证
# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://10.1.87.80:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf Cluster "kubernetes" set. # kubectl config view --kubeconfig=/root/def-ns-admin.conf apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://10.1.87.80:6443 name: kubernetes contexts: [] current-context: "" kind: Config preferences: {} users: []
# CLUSTER_ADMIN_TOKEN=$(kubectl get secret -n kube-system dashboard-admin-token-grj84 -o jsonpath={.data.token} | base64 -d ) # kubectl config set-credentials dashboard-cluster-admin --token=$CLUSTER_ADMIN_TOKEN --kubeconfig=/root/def-ns-admin.conf User "dashboard-cluster-admin" set. # kubectl config set-context dashboard-cluster-admin@kubernetes --cluster=kubernetes --user=dashboard-cluster-admin --kubeconfig=/root/def-ns-admin.conf # kubectl config use-context dashboard-cluster-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf
将生成的conf文件远程复制到桌面上
ssjinyao ➤ scp root@10.1.87.80:/root/def-ns-admin.conf ~/Desktop
此时使用可以用 kubeconfig 来登录dashboard 了
 - 芊芊细语&pics=/images/favicon/k8s-logo.png&summary=){kind=logo}
 - 芊芊细语&pics=/images/favicon/k8s-logo.png&summary=){kind=logo}
 - 芊芊细语&pics=/images/favicon/k8s-logo.png&summary=){kind=logo}