您当前的位置: 首页 > 慢生活 > 程序人生 网站首页程序人生
53、Kubernetes - 安全 认证
发布时间:2023-01-09 21:30:04编辑:雪饮阅读()
Step1
首先我们需要知道的是我们的k8s的配置文件kubeconfig文件
kubeconfig
kubeconfig文件包含集群参数(CA证书、API Server地址),客户端参数(上面生成的证书和私钥),集群context信息(集群名称、用户名)。Kubenetes组件通过启动时指定不同的 kubeconfig文件可以切换到不同的集群。
那么查看该kubeconfig文件如:
[root@k8s-master01 ~]# cat /root/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5REND QWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201 bGRHVnpNQjRYRFRJeU1USXhNekUwTWpZME5Wb1hEVE15TVRJeE1ERTBNalkwTlZvd0ZURVRNQkVHQTFV RQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dn RUJBTjFECktWNllDQTdhTUd6TzJiK1VJTEd0UndGSWtoL282RE5FWGNRazJBV2NzemY2bnJOR0I0amVP TnpXc0lraFFvUHcKODVYNFk0WGRmMHNvYmRXUUVBbU1Qc1ZrdG1sZDhPUGZNbDlzRlA2eHZ2SCt2VE5X VTVjZXJObmxUWkRtMjIwMApPQnYyWWttOG9KU2p3MXJUQ3RBVi92QlBDVWVzcGRRcEt5Tm1oaG9ua1lI MW0ydEVPVjBWZGowSHBsa3pvbWZZCll3Tk5SOGoyeDJGTXNJblQ2Qkk1cWxLZW9BcmZFQm1GOTZudG0r NFJWbnp1cm52Uk1sSjJiemJSR24rUHBjWUIKZENXazl1dmNkMmlPbWlYVkNmRGFGWEc0WTJTbENkV252 bzNLb2kweWhMZ0cvQnQ5V1J3R3NGc3oybVU4Y1BaOQpmWGxJZ1ZrY0RrMm8xMk5QSkkwQ0F3RUFBYU1q TUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZj TkFRRUxCUUFEZ2dFQkFMcmpkRGNKNk5oUXdEYnZBeUsrbFJza3FzckQKejFJa0hLeEQyQittbWhnVlRO dHZ6eVJMUG9BdG4zQXdxazJLamN4Zm5yTVgva3VxN1BncUwvQXRVdG1pb1UxegpscUZiM2lLMUZpZENY VnFUaTcxczNNckxlVVl5MzJyM2dlZHZGeUVjSW5oQjBTbmFFQUpnUkJveFZtemVwZThPClcrK0tFd0sy dG9Ed1NQZDg3WS9kK2FDdW02aHpwdHZOMm40bVcvRmR1Q000L2NZT3lQUGpRS0huZUdTQnQ1cnkKSDA2 a1VtNVRDdUtrTnZWUjBGSXA3TUY0L2NRQjhveXJSWHRsdWhmdmdOOWpFZm96VE5kZTNsYWxCRFN5N1M2 RQpESHFYZWJRNExleTNJRzNjc2VQc3VJem9aZGJJd2Z5b3ZqczNWdjhxZ3dleVNsTlY4MXJZR1JMT3J4 OD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://192.168.66.10:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWR xZ0F3SUJBZ0lJTXRLUlgrVUF0eXN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2E zVmlaWEp1WlhSbGN6QWVGdzB5TWpFeU1UTXhOREkyTkRWYUZ3MHlNekV5TVRNeE5ESTJORFphTURReAp GekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnp MV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTFodC9QdE1 ONjFQcHhLTjQKUG1MZ1hBZHRKMExicFFpaEt3eFp3cXNVVnBsbnAvR0M0M0d1UEY3MkhBelNTczN2ZEp Ua1BxT3AzU0tsaXM1QwphaVZFNGpJZXJOMVhIMldNVTdIdjRaK1QvK2tOa3VJTFJ6MXhQcVRZRG9WblJ JV1FSWGxXcGloZEZpTm1QSmVrCkthWlVPM3JndUVvdHVLKzMrTHBRbm5LSlV2SC9uS3ZnSHVDWEIrTW9 EN1g2SWs2VDBiQlpxSHFJNWMzWXlpZ0EKWVVleGlaRXRML0xnSUlZNVpldzNiSjZNWmlBTHA0ZnRqVUR 4VlBUNlJSRk1HV0MrakpBTVdFMnAxbXZFMlg1QQp5QUp6a3RyeTQxY09CRVJSV0VISUhLNHJvVm0xQjJ Xd2ZCWVMvbkIxNW4vTFRjWkJ3T1FaZkZRUWpOSmlFR1AzClY1Yy8rUUlEQVFBQm95Y3dKVEFPQmdOVkh ROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUx CUUFEZ2dFQkFKMERPQ1dITVJXMGViOS96ZFZIcVliWHZKSjZ2OGR3MzhvbgpMS1RxZndFMndub0w1TE9 MMkZIVS9mcllJUlRJSUZqak92NG05QThONy9NdmNNUEtYc2psRmxwdStsVldyeElYCnozYmx4d2gxR3B YQlhmNmkzYlhQakVraXFuM29Ga3JvelgveEE2ZGhjRUh6S0VUVDZwRTBoSWVxd3hxY3QxTjAKNDV5ck4 ybjl5VW5mVVozcnRvVFF3QnlPTjM0bGN0V1hLUGI1VU1jdDFnWER0ejVEOGdHYlFEeSt6R21IYUErKwp uUllPUzlQYmwxMHM4QWpKNVpDYVNXc1phNGFiYllDTkpSRmdobThCbXZRQmF0bjlzd0lOWXJRVzNqWXN pdFJHCldSTnVLUUg4UlJOUUpJSGZ0amUxSGtTTWNTa28vNE5TRENyVGtuZTVCL0FxeEVtOFlxMD0KLS0 tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0N BUUVBMWh0L1B0TU42MVBweEtONFBtTGdYQWR0SjBMYnBRaWhLd3had3FzVVZwbG5wL0dDCjQzR3VQRjc ySEF6U1NzM3ZkSlRrUHFPcDNTS2xpczVDYWlWRTRqSWVyTjFYSDJXTVU3SHY0WitULytrTmt1SUwKUno xeFBxVFlEb1ZuUklXUVJYbFdwaWhkRmlObVBKZWtLYVpVTzNyZ3VFb3R1SyszK0xwUW5uS0pVdkgvbkt 2ZwpIdUNYQitNb0Q3WDZJazZUMGJCWnFIcUk1YzNZeWlnQVlVZXhpWkV0TC9MZ0lJWTVaZXczYko2TVp pQUxwNGZ0CmpVRHhWUFQ2UlJGTUdXQytqSkFNV0UycDFtdkUyWDVBeUFKemt0cnk0MWNPQkVSUldFSEl ISzRyb1ZtMUIyV3cKZkJZUy9uQjE1bi9MVGNaQndPUVpmRlFRak5KaUVHUDNWNWMvK1FJREFRQUJBb0l CQUVTZHZWTForcXovVUh5MwpVdExUaDBtWEM3RTRhUUhqMlJyZHMycUN2MXJkZ08yK3BZN1VvTjB5SmJ kcG1IOW1yaVh6alk1Ump4K1NlZkVaCkZ3bkRkZWJ6M3diUlRKbUFScytQeCt2TDQzZHhMZXR6eTkrQjN tZ1FGam5aSVBaQnc3R3dLRWZKeWNOTmh2ZEcKTmRNdlBmRnQrTlMyMlI1R0dqUjVLVnNPSTlwVG83ejc ya1h3NWVqUTRqa2t0ck1IYjJQSjVIZ2NjZkJjMGQzTQpnOUZ3QkY1enBzTjU0bjRQZDBMV3JWSkFLVTR UTE83Y3RpS20vTHY2cHJ0Z083Zjd6eHphTnJUMkREQ2dhOURWClAvbThBbmJYdjl1a2pxQVU1QVR5dXh hemFqUVpxcTBZbld1Q1p3QmlPUXVHRHNSd3pKYy9JdS9jR1pudjlsUWsKbklNeGpIRUNnWUVBMysvS25 BUXpMdk1GR2pxR3VKYlpYSlNYQlV2MkhmcmxZNUhuNzhzdC9uaVZoMERZMUFURgoxQUhreXI0WHV1dTV nSUI3K21ueWY1cjA1SWQ4cmhPalV1RDdrOVBRaUdlUHhOWkRaZk5QVlIySzIzS2M5a0Q2CjltcmgyK08 zbWFqT0JVYk1iMktCVGFmVVlQM1lSbm5zUTZCZm5tSmt2eHpMTDEreXo4WjlxVTBDZ1lFQTlNTnMKQWR 4bkxVbGF4K2ZZcURCeFpVWFZ0eW5KN2V5cWlVeVp6WXlDaG1PUHVmdWZ0WmZyTDlGS0lheFRwOGNQMVR MWgpobVhVdjBpdFRYUjE4d01IRUZIZDdPcjJaUHlxK0xoODN3OS9rZ1Y5cFA3YXpkclJFMVVqOUNieEs vZ2lBREJPCkN5T052bkV0cTc5YmtUckhTM2JIenllbGp2ZEVkN0I1TFFlY08xMENnWUVBcTREcW16SmN RTWkrVDZnakpadmkKUEpWUVZDNHBBQ3ozSVpyTkYwbDBvRCtaeFV4VXc0d2tOb3A4dndsM0F5RWxvTlR HSHJLbGxqVUcrVDhLcmdjOApQbTB3UDdjcExrNmlQUTRiOENpM3lXZ213SXEyeTZKWWtnQ3BtYzU4L3F IWnB4RGg0U3gvK3dsZURpcGJTUjUzClpCT2ZKNTRUcW9wUzBxVm9QTmkzeE1FQ2dZQWVQMlJDbXAwNWt INGloRGxYRjUxNzJYUit6VEJDTWVRbFVZMFUKUk5BQWtaODZhYWtrQk9Fd3FKbVRyYnNzMmNIUUpCZVR yMVBxUzYzM0MzUmtFclMxeEpnN1poSUxDdHFLSUNwMgpXbkQyZDYwK1RheDJraHNTVzR3MDZQY1c2dlF 3dDhkOVF1aUtaMnd3ZEZaNWpSMEI2MnpuNGN0bzdvL01oc2VDCjFCVHZsUUtCZ0ZGSEdnVjQ1WUU2WUg 2WnRYaFlaSDJGQjVhbmlnZk5XTkhveHVOd1FubDhYWXBxcmptdm5aMlAKNThrenNOSWkvNWhLQk5Wcld YOWFRNjFKbzRCNGpWa1JQWDNpWEI1VURqY1E2M1lZVVNqNDRwcmdTa3hjaGRnZgpWdnVHWXNqZThUd2h 1aTJoMDJvRlM0ZVc5TWE4cVdILzVSRzYvL3ZTNjN5VzFFRFJ5M2M1Ci0tLS0tRU5EIFJTQSBQUklWQVR FIEtFWS0tLS0tCg==
Step2
serviceAccount
Pod中的容器访问API Server。因为Pod的创建、销毁是动态的,所以要为它手动生成证书就不可行了。Kubenetes使用了Service Account解决Pod访问API Server的认证问题
Secret 与SA的关系
Kubernetes 设计了一种资源对象叫做Secret,分为两类,一种是用于ServiceAccount 的service-account-token,另一种是用于保存用户自定义保密信息的Opaque。ServiceAccount 中用到包含三个部分:Token.ca.crt、namespace
token是使用API Server私钥签名的JWT。用于访问APl Server时,Server端认证ca.crt,根证书。用于Client端验证APl Server发送的证书
namespace,标识这个service-account-token的作用域名空间
那么如何查看serviceAccount呢?
一般随便找一个kube-system中的pod好像都是有的
[root@k8s-master01 ~]# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-699cc4c4cb-5gzzv 1/1 Running 1 31h
coredns-699cc4c4cb-nd7nb 1/1 Running 1 31h
etcd-k8s-master01 1/1 Running 26 26d
kube-apiserver-k8s-master01 1/1 Running 28 26d
kube-controller-manager-k8s-master01 1/1 Running 30 26d
kube-flannel-ds-amd64-v8bkz 1/1 Running 0 30h
kube-flannel-ds-amd64-w2qp2 1/1 Running 1 30h
kube-flannel-ds-amd64-xsq8h 1/1 Running 23 12d
kube-proxy-4lwzp 1/1 Running 25 26d
kube-proxy-m6bsz 1/1 Running 23 26d
kube-proxy-xqhhg 1/1 Running 23 26d
kube-scheduler-k8s-master01 1/1 Running 30 26d
这里就找这个proxy吧,看来这家伙应该是deployment或者statefulset部署的,那么随便选择一个proxy
[root@k8s-master01 ~]# kubectl exec kube-proxy-4lwzp -n kube-system -it -- /bin/sh
# ls /run/secrets/kubernetes.io/serviceaccount
ca.crt namespace token
然后我们再来看看这个serviceaccount中的token哈
# cat /run/secrets/kubernetes.io/serviceaccount/token
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlLXByb3h5LXRva2VuLWc0N2M1Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Imt1YmUtcHJveHkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmZGY5YWU5MS03Mzg0LTQ0NzYtOWNkYS1hZmZmOTk2Nzc5MzciLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06a3ViZS1wcm94eSJ9.voSwp99YjTjGoLRldaKoHklAFocssChj4FIrNyjgyFayV0OouvheTo-O0TzM-myukVcZkKGAL2oGMbuzkMexN5u2-tUtIvb3jloZfUN8wvKSOaW3ZTxBqyP6ALKcDyJui6-ttY9yOEiiVzOOmj9JOQ3iqNlSZxF8dUixlYRfjI1v6Sdj4c9TD9HS9qnWAeu5yqJDpjHLCT3B8mZomw6fIoR5-EKbvyk38dyT5FtUE8NutjUg9Ota7YcrmqBm-MEmJUOWbOHbYD-lC1gAfB4591iOyVBptJVcJd-d8pcOpw8XrwIVonukqpGLvvhz_oXH8gMiMCPXgw4NWqxjCKBmQQ
关键字词:Kubernetes,安全,认证